From e4bbdda1297d4172edb14c8d0f9fe7ee043b7515 Mon Sep 17 00:00:00 2001 From: Angela Chuang <6295984+angorayc@users.noreply.github.com> Date: Tue, 20 Apr 2021 10:30:30 +0100 Subject: [PATCH] use smaller piece of mock data (#96953) Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- .../apis/security_solution/kpi_hosts.ts | 349 +- .../es_archives/auditbeat/default/data.json | 110231 +++++++++++++++ .../es_archives/auditbeat/kpi_hosts/data.json | 194 + .../auditbeat/kpi_hosts/mappings.json | 1903 + .../es_archives/filebeat/kpi_hosts/data.json | 133 + .../filebeat/kpi_hosts/mappings.json | 5940 + 6 files changed, 118564 insertions(+), 186 deletions(-) create mode 100644 x-pack/test/functional/es_archives/auditbeat/default/data.json create mode 100644 x-pack/test/functional/es_archives/auditbeat/kpi_hosts/data.json create mode 100644 x-pack/test/functional/es_archives/auditbeat/kpi_hosts/mappings.json create mode 100644 x-pack/test/functional/es_archives/filebeat/kpi_hosts/data.json create mode 100644 x-pack/test/functional/es_archives/filebeat/kpi_hosts/mappings.json diff --git a/x-pack/test/api_integration/apis/security_solution/kpi_hosts.ts b/x-pack/test/api_integration/apis/security_solution/kpi_hosts.ts index f2e597912c4e..ff395f056354 100644 --- a/x-pack/test/api_integration/apis/security_solution/kpi_hosts.ts +++ b/x-pack/test/api_integration/apis/security_solution/kpi_hosts.ts @@ -10,13 +10,14 @@ import { HostsKpiQueries } from '../../../../plugins/security_solution/common/se import { FtrProviderContext } from '../../ftr_provider_context'; export default function ({ getService }: FtrProviderContext) { + const retry = getService('retry'); const esArchiver = getService('esArchiver'); const supertest = getService('supertest'); describe('Kpi Hosts', () => { describe('With filebeat', () => { - before(() => esArchiver.load('filebeat/default')); - after(() => esArchiver.unload('filebeat/default')); + before(() => esArchiver.load('filebeat/kpi_hosts')); + after(() => esArchiver.unload('filebeat/kpi_hosts')); const FROM = '2000-01-01T00:00:00.000Z'; const TO = '3000-01-01T00:00:00.000Z'; @@ -24,19 +25,7 @@ export default function ({ getService }: FtrProviderContext) { hosts: 1, hostsHistogram: [ { - x: new Date('2019-02-09T16:00:00.000Z').valueOf(), - y: 1, - }, - { - x: new Date('2019-02-09T19:00:00.000Z').valueOf(), - y: 0, - }, - { - x: new Date('2019-02-09T22:00:00.000Z').valueOf(), - y: 1, - }, - { - x: new Date('2019-02-10T01:00:00.000Z').valueOf(), + x: new Date('2019-02-09T16:45:06.000Z').valueOf(), y: 1, }, ], @@ -44,246 +33,234 @@ export default function ({ getService }: FtrProviderContext) { authSuccessHistogram: null, authFailure: 0, authFailureHistogram: null, - uniqueSourceIps: 121, + uniqueSourceIps: 1, uniqueSourceIpsHistogram: [ { - x: new Date('2019-02-09T16:00:00.000Z').valueOf(), - y: 52, - }, - { - x: new Date('2019-02-09T19:00:00.000Z').valueOf(), - y: 0, - }, - { - x: new Date('2019-02-09T22:00:00.000Z').valueOf(), - y: 31, - }, - { - x: new Date('2019-02-10T01:00:00.000Z').valueOf(), - y: 88, + x: new Date('2019-02-09T16:45:06.000Z').valueOf(), + y: 1, }, ], - uniqueDestinationIps: 154, + uniqueDestinationIps: 1, uniqueDestinationIpsHistogram: [ { - x: new Date('2019-02-09T16:00:00.000Z').valueOf(), - y: 61, - }, - { - x: new Date('2019-02-09T19:00:00.000Z').valueOf(), - y: 0, - }, - { - x: new Date('2019-02-09T22:00:00.000Z').valueOf(), - y: 45, - }, - { - x: new Date('2019-02-10T01:00:00.000Z').valueOf(), - y: 114, + x: new Date('2019-02-09T16:45:06.000Z').valueOf(), + y: 1, }, ], }; it('Make sure that we get KpiHosts data', async () => { - const { body: kpiHosts } = await supertest - .post('/internal/search/securitySolutionSearchStrategy/') - .set('kbn-xsrf', 'true') - .send({ - factoryQueryType: HostsKpiQueries.kpiHosts, - timerange: { - interval: '12h', - to: TO, - from: FROM, - }, - defaultIndex: ['filebeat-*'], - docValueFields: [], - inspect: false, - wait_for_completion_timeout: '10s', - }) - .expect(200); + await retry.try(async () => { + const { body: kpiHosts } = await supertest + .post('/internal/search/securitySolutionSearchStrategy/') + .set('kbn-xsrf', 'true') + .send({ + factoryQueryType: HostsKpiQueries.kpiHosts, + timerange: { + interval: '12h', + to: TO, + from: FROM, + }, + defaultIndex: ['filebeat-*'], + docValueFields: [], + inspect: false, + wait_for_completion_timeout: '10s', + }) + .expect(200); - expect(kpiHosts.hostsHistogram!).to.eql(expectedResult.hostsHistogram); - expect(kpiHosts.hosts!).to.eql(expectedResult.hosts); + expect(kpiHosts.hostsHistogram!).to.eql(expectedResult.hostsHistogram); + expect(kpiHosts.hosts!).to.eql(expectedResult.hosts); + }); }); it('Make sure that we get KpiAuthentications data', async () => { - const { body } = await supertest - .post('/internal/search/securitySolutionSearchStrategy/') - .set('kbn-xsrf', 'true') - .send({ - factoryQueryType: HostsKpiQueries.kpiAuthentications, - timerange: { - interval: '12h', - to: TO, - from: FROM, - }, - defaultIndex: ['filebeat-*'], - docValueFields: [], - inspect: false, - /* We need a very long timeout to avoid returning just partial data. - ** https://github.com/elastic/kibana/blob/master/x-pack/test/api_integration/apis/search/search.ts#L18 - */ - wait_for_completion_timeout: '10s', - }) - .expect(200); - expect(body.authenticationsSuccess!).to.eql(expectedResult.authSuccess); - expect(body.authenticationsSuccessHistogram!).to.eql(expectedResult.authSuccessHistogram); - expect(body.authenticationsFailure!).to.eql(expectedResult.authFailure); - expect(body.authenticationsFailureHistogram!).to.eql(expectedResult.authFailureHistogram); + await retry.try(async () => { + const { body } = await supertest + .post('/internal/search/securitySolutionSearchStrategy/') + .set('kbn-xsrf', 'true') + .send({ + factoryQueryType: HostsKpiQueries.kpiAuthentications, + timerange: { + interval: '12h', + to: TO, + from: FROM, + }, + defaultIndex: ['filebeat-*'], + docValueFields: [], + inspect: false, + /* We need a very long timeout to avoid returning just partial data. + ** https://github.com/elastic/kibana/blob/master/x-pack/test/api_integration/apis/search/search.ts#L18 + */ + wait_for_completion_timeout: '10s', + }) + .expect(200); + expect(body.authenticationsSuccess!).to.eql(expectedResult.authSuccess); + expect(body.authenticationsSuccessHistogram!).to.eql(expectedResult.authSuccessHistogram); + expect(body.authenticationsFailure!).to.eql(expectedResult.authFailure); + expect(body.authenticationsFailureHistogram!).to.eql(expectedResult.authFailureHistogram); + }); }); it('Make sure that we get KpiUniqueIps data', async () => { - const { body } = await supertest - .post('/internal/search/securitySolutionSearchStrategy/') - .set('kbn-xsrf', 'true') - .send({ - factoryQueryType: HostsKpiQueries.kpiUniqueIps, - timerange: { - interval: '12h', - to: TO, - from: FROM, - }, - defaultIndex: ['filebeat-*'], - docValueFields: [], - inspect: false, - wait_for_completion_timeout: '10s', - }) - .expect(200); - expect(body.uniqueDestinationIps!).to.eql(expectedResult.uniqueDestinationIps); - expect(body.uniqueDestinationIpsHistogram!).to.eql( - expectedResult.uniqueDestinationIpsHistogram - ); - expect(body.uniqueSourceIps!).to.eql(expectedResult.uniqueSourceIps); - expect(body.uniqueSourceIpsHistogram!).to.eql(expectedResult.uniqueSourceIpsHistogram); + await retry.try(async () => { + const { body } = await supertest + .post('/internal/search/securitySolutionSearchStrategy/') + .set('kbn-xsrf', 'true') + .send({ + factoryQueryType: HostsKpiQueries.kpiUniqueIps, + timerange: { + interval: '12h', + to: TO, + from: FROM, + }, + defaultIndex: ['filebeat-*'], + docValueFields: [], + inspect: false, + wait_for_completion_timeout: '10s', + }) + .expect(200); + expect(body.uniqueDestinationIps!).to.eql(expectedResult.uniqueDestinationIps); + expect(body.uniqueDestinationIpsHistogram!).to.eql( + expectedResult.uniqueDestinationIpsHistogram + ); + expect(body.uniqueSourceIps!).to.eql(expectedResult.uniqueSourceIps); + expect(body.uniqueSourceIpsHistogram!).to.eql(expectedResult.uniqueSourceIpsHistogram); + }); }); }); describe('With auditbeat', () => { - before(() => esArchiver.load('auditbeat/default')); - after(() => esArchiver.unload('auditbeat/default')); + before(() => esArchiver.load('auditbeat/kpi_hosts')); + after(() => esArchiver.unload('auditbeat/kpi_hosts')); const FROM = '2000-01-01T00:00:00.000Z'; const TO = '3000-01-01T00:00:00.000Z'; const expectedResult = { - hosts: 6, + hosts: 3, hostsHistogram: [ { x: new Date('2018-11-27T00:00:00.000Z').valueOf(), - y: 6, + y: 1, }, { x: new Date('2018-11-27T00:30:00.000Z').valueOf(), - y: 6, + y: 0, }, { x: new Date('2018-11-27T01:00:00.000Z').valueOf(), - y: 6, + y: 0, }, { x: new Date('2018-11-27T01:30:00.000Z').valueOf(), - y: 6, + y: 0, }, { x: new Date('2018-11-27T02:00:00.000Z').valueOf(), - y: 6, + y: 1, }, { x: new Date('2018-11-27T02:30:00.000Z').valueOf(), - y: 6, + y: 1, }, ], authSuccess: 0, authSuccessHistogram: null, authFailure: 0, authFailureHistogram: null, - uniqueSourceIps: 370, + uniqueSourceIps: 3, uniqueSourceIpsHistogram: [ - { x: 1543276800000, y: 74 }, - { x: 1543278600000, y: 52 }, - { x: 1543280400000, y: 71 }, - { x: 1543282200000, y: 76 }, - { x: 1543284000000, y: 71 }, - { x: 1543285800000, y: 89 }, + { x: 1543276800000, y: 1 }, + { x: 1543278600000, y: 0 }, + { x: 1543280400000, y: 0 }, + { x: 1543282200000, y: 0 }, + { x: 1543284000000, y: 1 }, + { x: 1543285800000, y: 1 }, ], - uniqueDestinationIps: 1, + uniqueDestinationIps: 0, uniqueDestinationIpsHistogram: [ { x: 1543276800000, y: 0 }, { x: 1543278600000, y: 0 }, { x: 1543280400000, y: 0 }, { x: 1543282200000, y: 0 }, { x: 1543284000000, y: 0 }, - { x: 1543285800000, y: 1 }, + { x: 1543285800000, y: 0 }, ], }; it('Make sure that we get KpiHosts data', async () => { - const { body: kpiHosts } = await supertest - .post('/internal/search/securitySolutionSearchStrategy/') - .set('kbn-xsrf', 'true') - .send({ - factoryQueryType: HostsKpiQueries.kpiHosts, - timerange: { - interval: '12h', - to: TO, - from: FROM, - }, - defaultIndex: ['auditbeat-*'], - docValueFields: [], - inspect: false, - wait_for_completion_timeout: '10s', - }) - .expect(200); + await retry.try(async () => { + const { body: kpiHosts } = await supertest + .post('/internal/search/securitySolutionSearchStrategy/') + .set('kbn-xsrf', 'true') + .send({ + factoryQueryType: HostsKpiQueries.kpiHosts, + timerange: { + interval: '12h', + to: TO, + from: FROM, + }, + defaultIndex: ['auditbeat-*'], + docValueFields: [], + inspect: false, + wait_for_completion_timeout: '10s', + }) + .expect(200); - expect(kpiHosts.hostsHistogram!).to.eql(expectedResult.hostsHistogram); - expect(kpiHosts.hosts!).to.eql(expectedResult.hosts); + expect(kpiHosts.hostsHistogram!).to.eql(expectedResult.hostsHistogram); + expect(kpiHosts.hosts!).to.eql(expectedResult.hosts); + }); }); it('Make sure that we get KpiAuthentications data', async () => { - const { body } = await supertest - .post('/internal/search/securitySolutionSearchStrategy/') - .set('kbn-xsrf', 'true') - .send({ - factoryQueryType: HostsKpiQueries.kpiAuthentications, - timerange: { - interval: '12h', - to: TO, - from: FROM, - }, - defaultIndex: ['auditbeat-*'], - docValueFields: [], - inspect: false, - wait_for_completion_timeout: '10s', - }) - .expect(200); - expect(body.authenticationsSuccess!).to.eql(expectedResult.authSuccess); - expect(body.authenticationsSuccessHistogram!).to.eql(expectedResult.authSuccessHistogram); - expect(body.authenticationsFailure!).to.eql(expectedResult.authFailure); - expect(body.authenticationsFailureHistogram!).to.eql(expectedResult.authFailureHistogram); + await retry.try(async () => { + const { body } = await supertest + .post('/internal/search/securitySolutionSearchStrategy/') + .set('kbn-xsrf', 'true') + .send({ + factoryQueryType: HostsKpiQueries.kpiAuthentications, + timerange: { + interval: '12h', + to: TO, + from: FROM, + }, + defaultIndex: ['auditbeat-*'], + docValueFields: [], + inspect: false, + wait_for_completion_timeout: '10s', + }) + .expect(200); + expect(body.authenticationsSuccess!).to.eql(expectedResult.authSuccess); + expect(body.authenticationsSuccessHistogram!).to.eql(expectedResult.authSuccessHistogram); + expect(body.authenticationsFailure!).to.eql(expectedResult.authFailure); + expect(body.authenticationsFailureHistogram!).to.eql(expectedResult.authFailureHistogram); + }); }); it('Make sure that we get KpiUniqueIps data', async () => { - const { body } = await supertest - .post('/internal/search/securitySolutionSearchStrategy/') - .set('kbn-xsrf', 'true') - .send({ - factoryQueryType: HostsKpiQueries.kpiUniqueIps, - timerange: { - interval: '12h', - to: TO, - from: FROM, - }, - defaultIndex: ['auditbeat-*'], - docValueFields: [], - inspect: false, - wait_for_completion_timeout: '10s', - }) - .expect(200); - expect(body.uniqueDestinationIps!).to.eql(expectedResult.uniqueDestinationIps); - expect(body.uniqueDestinationIpsHistogram!).to.eql( - expectedResult.uniqueDestinationIpsHistogram - ); - expect(body.uniqueSourceIps!).to.eql(expectedResult.uniqueSourceIps); - expect(body.uniqueSourceIpsHistogram!).to.eql(expectedResult.uniqueSourceIpsHistogram); + await retry.try(async () => { + const { body } = await supertest + .post('/internal/search/securitySolutionSearchStrategy/') + .set('kbn-xsrf', 'true') + .send({ + factoryQueryType: HostsKpiQueries.kpiUniqueIps, + timerange: { + interval: '12h', + to: TO, + from: FROM, + }, + defaultIndex: ['auditbeat-*'], + docValueFields: [], + inspect: false, + wait_for_completion_timeout: '10s', + }) + .expect(200); + expect(body.uniqueDestinationIps!).to.eql(expectedResult.uniqueDestinationIps); + expect(body.uniqueDestinationIpsHistogram!).to.eql( + expectedResult.uniqueDestinationIpsHistogram + ); + expect(body.uniqueSourceIps!).to.eql(expectedResult.uniqueSourceIps); + expect(body.uniqueSourceIpsHistogram!).to.eql(expectedResult.uniqueSourceIpsHistogram); + }); }); }); }); diff --git a/x-pack/test/functional/es_archives/auditbeat/default/data.json b/x-pack/test/functional/es_archives/auditbeat/default/data.json new file mode 100644 index 000000000000..b10f3cc73ec6 --- /dev/null +++ b/x-pack/test/functional/es_archives/auditbeat/default/data.json @@ -0,0 +1,110231 @@ +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Rs93UmcBTFzn_XoLWT6M", + "source": { + "@timestamp": "2018-11-27T00:00:11.544Z", + "process": { + "pid": "31964", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.199.87.213" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "128.199.87.213", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "128.199.87.213", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 192383, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "R893UmcBTFzn_XoLWT6M", + "source": { + "@timestamp": "2018-11-27T00:00:12.110Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "31966", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "89.40.116.98" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "89.40.116.98", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192384, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SM93UmcBTFzn_XoLWT6M", + "source": { + "@timestamp": "2018-11-27T00:00:12.111Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "31966", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "89.40.116.98" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "89.40.116.98", + "type": "user-session" + } + }, + "sequence": 192385, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Sc93UmcBTFzn_XoLWT6M", + "source": { + "@timestamp": "2018-11-27T00:00:12.224Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31966" + }, + "source": { + "ip": "89.40.116.98" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "sequence": 192386, + "result": "fail", + "session": "unset", + "data": { + "hostname": "89.40.116.98", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "89.40.116.98" + } + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "A89-UmcBTFzn_XoLj91w", + "source": { + "@timestamp": "2018-11-27T00:08:04.229Z", + "auditd": { + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "187.188.146.35", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142249, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19190", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "187.188.146.35" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BM9-UmcBTFzn_XoLj91w", + "source": { + "@timestamp": "2018-11-27T00:08:04.231Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19190", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "187.188.146.35" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142250, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "187.188.146.35" + } + } + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Bc9-UmcBTFzn_XoLj91w", + "source": { + "@timestamp": "2018-11-27T00:08:04.295Z", + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "187.188.146.35", + "type": "user-session" + } + }, + "sequence": 142251, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "187.188.146.35" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "19190", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "187.188.146.35" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3M99UmcBTFzn_XoL9c8q", + "source": { + "@timestamp": "2018-11-27T00:07:24.736Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31771" + }, + "source": { + "ip": "185.66.213.116" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "185.66.213.116", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186194 + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3c99UmcBTFzn_XoL9c8q", + "source": { + "@timestamp": "2018-11-27T00:07:24.738Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186195, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "185.66.213.116", + "type": "user-session", + "primary": "sshd" + } + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "31771", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "185.66.213.116" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3s99UmcBTFzn_XoL9c8q", + "source": { + "@timestamp": "2018-11-27T00:07:24.872Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "31771", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.66.213.116" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "ssh", + "secondary": "185.66.213.116", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 186196, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "185.66.213.116" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cNCAUmcBTFzn_XoLVQS1", + "source": { + "@timestamp": "2018-11-27T00:10:00.521Z", + "source": { + "ip": "202.138.233.92" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142255, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "202.138.233.92", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19202", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cdCAUmcBTFzn_XoLVQS1", + "source": { + "@timestamp": "2018-11-27T00:10:00.523Z", + "process": { + "pid": "19202", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "202.138.233.92" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142256, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "202.138.233.92", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ctCAUmcBTFzn_XoLVQS1", + "source": { + "@timestamp": "2018-11-27T00:10:00.758Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19202", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "202.138.233.92" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "202.138.233.92", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "202.138.233.92", + "type": "user-session" + } + }, + "sequence": 142257, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Lc9_UmcBTFzn_XoL2_og", + "source": { + "@timestamp": "2018-11-27T00:09:29.142Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "source": { + "ip": "183.6.176.182" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "183.6.176.182" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142252, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19199", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Ls9_UmcBTFzn_XoL2_og", + "source": { + "@timestamp": "2018-11-27T00:09:29.143Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142253, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "183.6.176.182" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19199", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "183.6.176.182" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "L89_UmcBTFzn_XoL2_og", + "source": { + "@timestamp": "2018-11-27T00:09:29.337Z", + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "183.6.176.182", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "183.6.176.182", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 142254 + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19199", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "183.6.176.182" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0c9_UmcBTFzn_XoL8Ptt", + "source": { + "@timestamp": "2018-11-27T00:09:34.595Z", + "source": { + "ip": "82.165.64.156" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "82.165.64.156", + "type": "user-session" + } + }, + "sequence": 186200, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31787" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0s9_UmcBTFzn_XoL8Ptt", + "source": { + "@timestamp": "2018-11-27T00:09:34.596Z", + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "82.165.64.156" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186201 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "31787", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "82.165.64.156" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "089_UmcBTFzn_XoL8Ptt", + "source": { + "@timestamp": "2018-11-27T00:09:34.710Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31787", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "82.165.64.156" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "82.165.64.156", + "type": "user-session" + } + }, + "sequence": 186202, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "82.165.64.156", + "terminal": "ssh" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ns9_UmcBTFzn_XoLYe_m", + "source": { + "@timestamp": "2018-11-27T00:08:58.109Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31779", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.148.18.163" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186197, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "46.148.18.163" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "n89_UmcBTFzn_XoLYe_m", + "source": { + "@timestamp": "2018-11-27T00:08:58.110Z", + "auditd": { + "sequence": 186198, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "46.148.18.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31779", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "oM9_UmcBTFzn_XoLYe_m", + "source": { + "@timestamp": "2018-11-27T00:08:58.253Z", + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "46.148.18.163", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "46.148.18.163" + } + }, + "sequence": 186199, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31779", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "hM-AUmcBTFzn_XoLEf64", + "source": { + "@timestamp": "2018-11-27T00:09:43.118Z", + "source": { + "ip": "74.208.43.208" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "sequence": 186203, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "74.208.43.208", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31789", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "hc-AUmcBTFzn_XoLEf64", + "source": { + "@timestamp": "2018-11-27T00:09:43.119Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "74.208.43.208", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186204, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "31789", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "74.208.43.208" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "hs-AUmcBTFzn_XoLEf64", + "source": { + "@timestamp": "2018-11-27T00:09:43.146Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186205, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "74.208.43.208", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "74.208.43.208", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31789", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "74.208.43.208" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "m89-UmcBTFzn_XoL1OLk", + "source": { + "@timestamp": "2018-11-27T00:08:22.009Z", + "source": { + "ip": "201.75.60.100" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "201.75.60.100" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184237, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "24759", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "nM9-UmcBTFzn_XoL1OLk", + "source": { + "@timestamp": "2018-11-27T00:08:22.011Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "24759", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "201.75.60.100" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184238, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "201.75.60.100", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "nc9-UmcBTFzn_XoL1OLk", + "source": { + "@timestamp": "2018-11-27T00:08:22.241Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "24759" + }, + "source": { + "ip": "201.75.60.100" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184239, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "201.75.60.100" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "201.75.60.100", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Vc9_UmcBTFzn_XoLb_AH", + "source": { + "@timestamp": "2018-11-27T00:09:01.469Z", + "auditd": { + "session": "unset", + "data": { + "op": "PAM:accounting", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184240, + "result": "success" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_acct", + "action": "was-authorized" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "24768", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Vs9_UmcBTFzn_XoLb_AH", + "source": { + "@timestamp": "2018-11-27T00:09:01.469Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "24768", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 184241, + "result": "success", + "session": "unset", + "data": { + "acct": "root", + "op": "PAM:setcred", + "terminal": "cron" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "event": { + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "V89_UmcBTFzn_XoLb_AH", + "source": { + "@timestamp": "2018-11-27T00:09:01.471Z", + "user": { + "auid": "0", + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + } + }, + "process": { + "pid": "24768", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "result": "success", + "session": "9854", + "data": { + "terminal": "cron", + "op": "PAM:session_open", + "acct": "root" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184243 + }, + "event": { + "action": "started-session", + "module": "auditd", + "category": "user-login", + "type": "user_start" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WM9_UmcBTFzn_XoLb_AH", + "source": { + "@timestamp": "2018-11-27T00:09:01.574Z", + "auditd": { + "result": "success", + "session": "9854", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:setcred" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184244 + }, + "event": { + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root", + "auid": "root" + }, + "auid": "0", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "24768" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Wc9_UmcBTFzn_XoLb_AH", + "source": { + "@timestamp": "2018-11-27T00:09:01.575Z", + "auditd": { + "session": "9854", + "data": { + "acct": "root", + "op": "PAM:session_close", + "terminal": "cron" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + } + }, + "sequence": 184245, + "result": "success" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0", + "auid": "0" + }, + "process": { + "pid": "24768", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "W89_UmcBTFzn_XoLb_DG", + "source": { + "@timestamp": "2018-11-27T00:09:01.660Z", + "auditd": { + "sequence": 192396, + "result": "success", + "session": "unset", + "data": { + "terminal": "cron", + "op": "PAM:accounting", + "acct": "root" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_acct", + "action": "was-authorized", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "32020" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XM9_UmcBTFzn_XoLb_DG", + "source": { + "@timestamp": "2018-11-27T00:09:01.660Z", + "auditd": { + "sequence": 192397, + "result": "success", + "session": "unset", + "data": { + "acct": "root", + "op": "PAM:setcred", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron" + } + }, + "event": { + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "32020" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Xc9_UmcBTFzn_XoLb_DG", + "source": { + "@timestamp": "2018-11-27T00:09:01.661Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_start", + "action": "started-session", + "module": "auditd" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0", + "auid": "0" + }, + "process": { + "pid": "32020", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "result": "success", + "session": "9858", + "data": { + "terminal": "cron", + "op": "PAM:session_open", + "acct": "root" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "root" + } + }, + "sequence": 192399 + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Xs9_UmcBTFzn_XoLb_DG", + "source": { + "@timestamp": "2018-11-27T00:09:01.756Z", + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "pid": "32020", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "op": "PAM:setcred", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + }, + "sequence": 192400, + "result": "success", + "session": "9858" + }, + "event": { + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials", + "module": "auditd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "X89_UmcBTFzn_XoLb_DG", + "source": { + "@timestamp": "2018-11-27T00:09:01.757Z", + "auditd": { + "sequence": 192401, + "result": "success", + "session": "9858", + "data": { + "terminal": "cron", + "op": "PAM:session_close", + "acct": "root" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_end", + "action": "ended-session" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "pid": "32020", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "tNCGUmcBTFzn_XoLwJHN", + "source": { + "@timestamp": "2018-11-27T00:17:01.150Z", + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "28080", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "op": "PAM:setcred", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 44083, + "result": "success", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "tdCGUmcBTFzn_XoLwJHN", + "source": { + "@timestamp": "2018-11-27T00:17:01.150Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "28080", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "result": "success", + "session": "unset", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:accounting" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + }, + "sequence": 44082 + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_acct", + "action": "was-authorized", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ttCGUmcBTFzn_XoLwJHN", + "source": { + "@timestamp": "2018-11-27T00:17:01.150Z", + "process": { + "pid": "28080", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + }, + "sequence": 44085, + "result": "success", + "session": "1442", + "data": { + "terminal": "cron", + "op": "PAM:session_open", + "acct": "root" + } + }, + "event": { + "category": "user-login", + "type": "user_start", + "action": "started-session", + "module": "auditd" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0", + "uid": "0" + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "t9CGUmcBTFzn_XoLwJHN", + "source": { + "@timestamp": "2018-11-27T00:17:01.154Z", + "event": { + "action": "disposed-credentials", + "module": "auditd", + "category": "user-login", + "type": "cred_disp" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0", + "uid": "0" + }, + "process": { + "pid": "28080", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 44086, + "result": "success", + "session": "1442", + "data": { + "op": "PAM:setcred", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "uNCGUmcBTFzn_XoLwJHN", + "source": { + "@timestamp": "2018-11-27T00:17:01.154Z", + "auditd": { + "session": "1442", + "data": { + "op": "PAM:session_close", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 44087, + "result": "success" + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "event": { + "action": "ended-session", + "module": "auditd", + "category": "user-login", + "type": "user_end" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "28080", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "udCGUmcBTFzn_XoLwJHb", + "source": { + "@timestamp": "2018-11-27T00:17:01.168Z", + "auditd": { + "sequence": 142264, + "result": "success", + "session": "unset", + "data": { + "op": "PAM:accounting", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + } + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "type": "user_acct", + "action": "was-authorized", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19244", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "utCGUmcBTFzn_XoLwJHb", + "source": { + "@timestamp": "2018-11-27T00:17:01.169Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19244", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:setcred", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 142265, + "result": "success" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "u9CGUmcBTFzn_XoLwJHb", + "source": { + "@timestamp": "2018-11-27T00:17:01.171Z", + "event": { + "type": "user_start", + "action": "started-session", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "pid": "19244", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "terminal": "cron", + "op": "PAM:session_open", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 142267, + "result": "success", + "session": "3502" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "vNCGUmcBTFzn_XoLwJHb", + "source": { + "@timestamp": "2018-11-27T00:17:01.174Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "action": "disposed-credentials", + "module": "auditd", + "category": "user-login", + "type": "cred_disp" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0", + "auid": "0" + }, + "process": { + "pid": "19244", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "3502", + "data": { + "op": "PAM:setcred", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + } + }, + "sequence": 142268, + "result": "success" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "vdCGUmcBTFzn_XoLwJHb", + "source": { + "@timestamp": "2018-11-27T00:17:01.175Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_end", + "action": "ended-session" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root", + "auid": "root" + }, + "auid": "0" + }, + "process": { + "pid": "19244", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "root" + } + }, + "sequence": 142269, + "result": "success", + "session": "3502", + "data": { + "acct": "root", + "op": "PAM:session_close", + "terminal": "cron" + } + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "vtCGUmcBTFzn_XoLwJH4", + "source": { + "@timestamp": "2018-11-27T00:17:01.195Z", + "event": { + "type": "user_acct", + "action": "was-authorized", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12297", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:accounting" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 43110, + "result": "success" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "v9CGUmcBTFzn_XoLwJH4", + "source": { + "@timestamp": "2018-11-27T00:17:01.195Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12297", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "cron", + "op": "PAM:setcred", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 43111, + "result": "success" + }, + "event": { + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "wNCGUmcBTFzn_XoLwJH4", + "source": { + "@timestamp": "2018-11-27T00:17:01.195Z", + "event": { + "action": "started-session", + "module": "auditd", + "category": "user-login", + "type": "user_start" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "pid": "12297", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 43113, + "result": "success", + "session": "1251", + "data": { + "terminal": "cron", + "op": "PAM:session_open", + "acct": "root" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "wdCGUmcBTFzn_XoLwJH4", + "source": { + "@timestamp": "2018-11-27T00:17:01.195Z", + "auditd": { + "session": "1251", + "data": { + "op": "PAM:setcred", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + } + }, + "sequence": 43114, + "result": "success" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0", + "uid": "0" + }, + "process": { + "pid": "12297", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "wtCGUmcBTFzn_XoLwJH4", + "source": { + "@timestamp": "2018-11-27T00:17:01.199Z", + "process": { + "pid": "12297", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "1251", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:session_close" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 43115, + "result": "success" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_end", + "action": "ended-session" + }, + "user": { + "uid": "0", + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2dCGUmcBTFzn_XoLwpF3", + "source": { + "@timestamp": "2018-11-27T00:17:01.580Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "action": "was-authorized", + "module": "auditd", + "category": "user-login", + "type": "user_acct" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "24860", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "result": "success", + "session": "unset", + "data": { + "acct": "root", + "op": "PAM:accounting", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184252 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2tCGUmcBTFzn_XoLwpF3", + "source": { + "@timestamp": "2018-11-27T00:17:01.581Z", + "process": { + "pid": "24860", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 184253, + "result": "success", + "session": "unset", + "data": { + "op": "PAM:setcred", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "event": { + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "29CGUmcBTFzn_XoLwpF3", + "source": { + "@timestamp": "2018-11-27T00:17:01.582Z", + "auditd": { + "sequence": 184255, + "result": "success", + "session": "9855", + "data": { + "terminal": "cron", + "op": "PAM:session_open", + "acct": "root" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + } + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "type": "user_start", + "action": "started-session", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "24860" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3NCGUmcBTFzn_XoLwpF3", + "source": { + "@timestamp": "2018-11-27T00:17:01.585Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials" + }, + "user": { + "auid": "0", + "name_map": { + "uid": "root", + "auid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "24860", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "9855", + "data": { + "terminal": "cron", + "op": "PAM:setcred", + "acct": "root" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "root" + } + }, + "sequence": 184256, + "result": "success" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3dCGUmcBTFzn_XoLwpF3", + "source": { + "@timestamp": "2018-11-27T00:17:01.586Z", + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "pid": "24860", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "result": "success", + "session": "9855", + "data": { + "terminal": "cron", + "op": "PAM:session_close", + "acct": "root" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + }, + "sequence": 184257 + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7dCGUmcBTFzn_XoLw5Er", + "source": { + "@timestamp": "2018-11-27T00:17:01.761Z", + "process": { + "pid": "32105", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 192405, + "result": "success", + "session": "unset", + "data": { + "op": "PAM:accounting", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "event": { + "action": "was-authorized", + "module": "auditd", + "category": "user-login", + "type": "user_acct" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7tCGUmcBTFzn_XoLw5Er", + "source": { + "@timestamp": "2018-11-27T00:17:01.762Z", + "auditd": { + "result": "success", + "session": "unset", + "data": { + "acct": "root", + "op": "PAM:setcred", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 192406 + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32105", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "79CGUmcBTFzn_XoLw5Er", + "source": { + "@timestamp": "2018-11-27T00:17:01.763Z", + "event": { + "type": "user_start", + "action": "started-session", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32105", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 192408, + "result": "success", + "session": "9859", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:session_open" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8NCGUmcBTFzn_XoLw5Er", + "source": { + "@timestamp": "2018-11-27T00:17:01.766Z", + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "32105" + }, + "auditd": { + "sequence": 192409, + "result": "success", + "session": "9859", + "data": { + "op": "PAM:setcred", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + } + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8dCGUmcBTFzn_XoLw5Er", + "source": { + "@timestamp": "2018-11-27T00:17:01.767Z", + "event": { + "action": "ended-session", + "module": "auditd", + "category": "user-login", + "type": "user_end" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32105", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "9859", + "data": { + "op": "PAM:session_close", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 192410, + "result": "success" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-tCGUmcBTFzn_XoLw5GT", + "source": { + "@timestamp": "2018-11-27T00:17:01.863Z", + "event": { + "type": "user_acct", + "action": "was-authorized", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "31840", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "op": "PAM:accounting", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 186230, + "result": "success", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-9CGUmcBTFzn_XoLw5GT", + "source": { + "@timestamp": "2018-11-27T00:17:01.864Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "acquired-credentials", + "module": "auditd", + "category": "user-login", + "type": "cred_acq" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31840", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "acct": "root", + "op": "PAM:setcred", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 186231, + "result": "success", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_NCGUmcBTFzn_XoLw5GT", + "source": { + "@timestamp": "2018-11-27T00:17:01.866Z", + "process": { + "pid": "31840", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 186233, + "result": "success", + "session": "3510", + "data": { + "op": "PAM:session_open", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "started-session", + "module": "auditd", + "category": "user-login", + "type": "user_start" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_dCGUmcBTFzn_XoLw5GT", + "source": { + "@timestamp": "2018-11-27T00:17:01.868Z", + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "pid": "31840", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:setcred" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 186234, + "result": "success", + "session": "3510" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_tCGUmcBTFzn_XoLw5GT", + "source": { + "@timestamp": "2018-11-27T00:17:01.869Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "31840" + }, + "auditd": { + "sequence": 186235, + "result": "success", + "session": "3510", + "data": { + "terminal": "cron", + "op": "PAM:session_close", + "acct": "root" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rdCFUmcBTFzn_XoLNW-m", + "source": { + "@timestamp": "2018-11-27T00:15:19.990Z", + "source": { + "ip": "181.58.119.34" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43101, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "181.58.119.34", + "type": "user-session" + } + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12279", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rtCFUmcBTFzn_XoLNW-m", + "source": { + "@timestamp": "2018-11-27T00:15:19.990Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "181.58.119.34", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 43102 + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12279", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "181.58.119.34" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "r9CFUmcBTFzn_XoLNW-m", + "source": { + "@timestamp": "2018-11-27T00:15:20.098Z", + "source": { + "ip": "181.58.119.34" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "181.58.119.34", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "181.58.119.34", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43103, + "result": "fail" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12279" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "9dCFUmcBTFzn_XoLPm_6", + "source": { + "@timestamp": "2018-11-27T00:15:22.384Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "24844" + }, + "source": { + "ip": "78.217.134.141" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184246, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "78.217.134.141" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "9tCFUmcBTFzn_XoLPm_6", + "source": { + "@timestamp": "2018-11-27T00:15:22.385Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "24844" + }, + "source": { + "ip": "78.217.134.141" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184247, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "78.217.134.141", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "99CFUmcBTFzn_XoLPm_6", + "source": { + "@timestamp": "2018-11-27T00:15:22.546Z", + "process": { + "pid": "24844", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "78.217.134.141" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "78.217.134.141", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "78.217.134.141", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184248, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZdCGUmcBTFzn_XoLhYxL", + "source": { + "@timestamp": "2018-11-27T00:16:45.917Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "212.144.234.165" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 43104 + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12288", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "212.144.234.165" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZtCGUmcBTFzn_XoLhYxL", + "source": { + "@timestamp": "2018-11-27T00:16:45.917Z", + "source": { + "ip": "212.144.234.165" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "212.144.234.165", + "type": "user-session" + } + }, + "sequence": 43105, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "12288", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Z9CGUmcBTFzn_XoLhYxL", + "source": { + "@timestamp": "2018-11-27T00:16:46.029Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "12288", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "212.144.234.165" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "sequence": 43106, + "result": "fail", + "session": "unset", + "data": { + "hostname": "212.144.234.165", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "212.144.234.165" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CtCGUmcBTFzn_XoLj44z", + "source": { + "@timestamp": "2018-11-27T00:16:48.454Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "12290", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "82.165.64.156" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "82.165.64.156", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43107, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "C9CGUmcBTFzn_XoLj44z", + "source": { + "@timestamp": "2018-11-27T00:16:48.458Z", + "process": { + "pid": "12290", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "82.165.64.156" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "82.165.64.156" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43108, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "DNCGUmcBTFzn_XoLj44z", + "source": { + "@timestamp": "2018-11-27T00:16:48.574Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "82.165.64.156", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43109, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "82.165.64.156" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12290" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "source": { + "ip": "82.165.64.156" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XdCGUmcBTFzn_XoLspGv", + "source": { + "@timestamp": "2018-11-27T00:16:57.541Z", + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "24857", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "90.63.218.214" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "90.63.218.214", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184249, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XtCGUmcBTFzn_XoLspGv", + "source": { + "@timestamp": "2018-11-27T00:16:57.542Z", + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "90.63.218.214" + } + }, + "sequence": 184250, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "24857", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "90.63.218.214" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "X9CGUmcBTFzn_XoLspGv", + "source": { + "@timestamp": "2018-11-27T00:16:57.654Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "24857", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "90.63.218.214" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184251, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "90.63.218.214", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "90.63.218.214", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gNCDUmcBTFzn_XoLe0qz", + "source": { + "@timestamp": "2018-11-27T00:13:26.761Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31815", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.128.221.237" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186221, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "178.128.221.237" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gdCDUmcBTFzn_XoLe0qz", + "source": { + "@timestamp": "2018-11-27T00:13:26.762Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "178.128.221.237", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186222, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "31815", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.128.221.237" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gtCDUmcBTFzn_XoLe0qz", + "source": { + "@timestamp": "2018-11-27T00:13:26.955Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "31815", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.128.221.237" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186223, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "178.128.221.237", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "178.128.221.237", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "oNCFUmcBTFzn_XoLinbC", + "source": { + "@timestamp": "2018-11-27T00:15:41.783Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31832" + }, + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "46.148.18.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186227, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "odCFUmcBTFzn_XoLinbC", + "source": { + "@timestamp": "2018-11-27T00:15:41.784Z", + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "46.148.18.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186228 + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31832", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "otCFUmcBTFzn_XoLinbC", + "source": { + "@timestamp": "2018-11-27T00:15:41.927Z", + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "46.148.18.163", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "46.148.18.163" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186229, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "31832", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5tCEUmcBTFzn_XoLU1tS", + "source": { + "@timestamp": "2018-11-27T00:14:22.056Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31823" + }, + "source": { + "ip": "185.241.4.160" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "185.241.4.160", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 186224, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "59CEUmcBTFzn_XoLU1tS", + "source": { + "@timestamp": "2018-11-27T00:14:22.061Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31823", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.241.4.160" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186225, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "secondary": "185.241.4.160", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6NCEUmcBTFzn_XoLU1tS", + "source": { + "@timestamp": "2018-11-27T00:14:22.221Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31823" + }, + "source": { + "ip": "185.241.4.160" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "185.241.4.160", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "185.241.4.160", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186226, + "result": "fail" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "D9CFUmcBTFzn_XoL031l", + "source": { + "@timestamp": "2018-11-27T00:16:00.377Z", + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "117.102.68.188", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44076, + "result": "fail" + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "28053" + }, + "source": { + "ip": "117.102.68.188" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ENCFUmcBTFzn_XoL031l", + "source": { + "@timestamp": "2018-11-27T00:16:00.377Z", + "source": { + "ip": "117.102.68.188" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44077, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "117.102.68.188" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "28053", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "EdCFUmcBTFzn_XoL031l", + "source": { + "@timestamp": "2018-11-27T00:16:00.581Z", + "auditd": { + "sequence": 44078, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "117.102.68.188", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "117.102.68.188", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "28053", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "117.102.68.188" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "19CGUmcBTFzn_XoLC4FO", + "source": { + "@timestamp": "2018-11-27T00:16:14.690Z", + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "91.183.42.58", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 44079, + "result": "fail" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "28062", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.183.42.58" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2NCGUmcBTFzn_XoLC4FO", + "source": { + "@timestamp": "2018-11-27T00:16:14.690Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "28062", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.183.42.58" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44080, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "91.183.42.58", + "type": "user-session" + } + } + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2dCGUmcBTFzn_XoLC4FO", + "source": { + "@timestamp": "2018-11-27T00:16:14.802Z", + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "28062", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.183.42.58" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "sequence": 44081, + "result": "fail", + "session": "unset", + "data": { + "hostname": "91.183.42.58", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "91.183.42.58" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dtCJUmcBTFzn_XoL_tm6", + "source": { + "@timestamp": "2018-11-27T00:20:33.614Z", + "auditd": { + "sequence": 44091, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "209.59.65.109" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "28150", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "209.59.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "d9CJUmcBTFzn_XoL_tm6", + "source": { + "@timestamp": "2018-11-27T00:20:33.614Z", + "auditd": { + "sequence": 44092, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "209.59.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "28150", + "exe": "/usr/sbin/sshd" + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "source": { + "ip": "209.59.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "eNCJUmcBTFzn_XoL_tm6", + "source": { + "@timestamp": "2018-11-27T00:20:33.698Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "28150" + }, + "source": { + "ip": "209.59.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44093, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "209.59.65.109", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "209.59.65.109", + "type": "user-session" + } + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ptCKUmcBTFzn_XoLDtsd", + "source": { + "@timestamp": "2018-11-27T00:20:37.550Z", + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "106.51.72.37", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44094, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "28153", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "106.51.72.37" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "p9CKUmcBTFzn_XoLDtsd", + "source": { + "@timestamp": "2018-11-27T00:20:37.550Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "28153" + }, + "source": { + "ip": "106.51.72.37" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44095, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "106.51.72.37", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qNCKUmcBTFzn_XoLDtsd", + "source": { + "@timestamp": "2018-11-27T00:20:37.782Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "28153", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "106.51.72.37" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44096, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "106.51.72.37" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "106.51.72.37", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5tGMUmcBTFzn_XoLPwqH", + "source": { + "@timestamp": "2018-11-27T00:23:01.275Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31880", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.105.123.11" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186254, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "46.105.123.11", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "59GMUmcBTFzn_XoLPwqH", + "source": { + "@timestamp": "2018-11-27T00:23:01.276Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "46.105.123.11" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186255 + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31880", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.105.123.11" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6NGMUmcBTFzn_XoLPwqH", + "source": { + "@timestamp": "2018-11-27T00:23:01.383Z", + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "31880", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.105.123.11" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "sequence": 186256, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "46.105.123.11" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "46.105.123.11" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FtCKUmcBTFzn_XoL0uxn", + "source": { + "@timestamp": "2018-11-27T00:21:27.805Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "sshd", + "secondary": "213.143.97.179", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 142270, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19271", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "213.143.97.179" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "F9CKUmcBTFzn_XoL0uxn", + "source": { + "@timestamp": "2018-11-27T00:21:27.807Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "sequence": 142271, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "213.143.97.179" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "19271", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "213.143.97.179" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GNCKUmcBTFzn_XoL0uxn", + "source": { + "@timestamp": "2018-11-27T00:21:27.937Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "sequence": 142272, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "213.143.97.179" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "213.143.97.179", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19271", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "213.143.97.179" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZtCLUmcBTFzn_XoLLPOM", + "source": { + "@timestamp": "2018-11-27T00:21:50.882Z", + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "24899", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "192.99.252.97" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "192.99.252.97", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184273, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Z9CLUmcBTFzn_XoLLPOM", + "source": { + "@timestamp": "2018-11-27T00:21:50.883Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "24899" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "192.99.252.97" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184274, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "192.99.252.97" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "aNCLUmcBTFzn_XoLLPOM", + "source": { + "@timestamp": "2018-11-27T00:21:50.926Z", + "process": { + "pid": "24899", + "exe": "/usr/sbin/sshd" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "source": { + "ip": "192.99.252.97" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "ssh", + "secondary": "192.99.252.97", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 184275, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "192.99.252.97" + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "A9CKUmcBTFzn_XoLrulM", + "source": { + "@timestamp": "2018-11-27T00:21:18.562Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186251, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "163.172.35.93" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31872" + }, + "source": { + "ip": "163.172.35.93" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BNCKUmcBTFzn_XoLrulM", + "source": { + "@timestamp": "2018-11-27T00:21:18.563Z", + "source": { + "ip": "163.172.35.93" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "163.172.35.93", + "type": "user-session" + } + }, + "sequence": 186252 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "31872", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BdCKUmcBTFzn_XoLrulM", + "source": { + "@timestamp": "2018-11-27T00:21:18.669Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31872", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "163.172.35.93" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186253, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "163.172.35.93" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "163.172.35.93", + "type": "user-session" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VtCKUmcBTFzn_XoLLt0C", + "source": { + "@timestamp": "2018-11-27T00:20:45.720Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "24889", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "122.175.55.196" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "122.175.55.196", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184270, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "V9CKUmcBTFzn_XoLLt0C", + "source": { + "@timestamp": "2018-11-27T00:20:45.721Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "24889", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "122.175.55.196" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184271, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "122.175.55.196", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WNCKUmcBTFzn_XoLLt0C", + "source": { + "@timestamp": "2018-11-27T00:20:45.977Z", + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "122.175.55.196" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "122.175.55.196", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "122.175.55.196", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184272 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "24889", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FNGNUmcBTFzn_XoLiyd2", + "source": { + "@timestamp": "2018-11-27T00:24:26.252Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "145.239.137.89" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "145.239.137.89", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192426, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32155", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FdGNUmcBTFzn_XoLiyd2", + "source": { + "@timestamp": "2018-11-27T00:24:26.253Z", + "source": { + "ip": "145.239.137.89" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192427, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "145.239.137.89", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32155" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FtGNUmcBTFzn_XoLiyd2", + "source": { + "@timestamp": "2018-11-27T00:24:26.370Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32155" + }, + "source": { + "ip": "145.239.137.89" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "ssh", + "secondary": "145.239.137.89", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 192428, + "result": "fail", + "session": "unset", + "data": { + "hostname": "145.239.137.89", + "terminal": "ssh", + "op": "PAM:bad_ident" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QNGLUmcBTFzn_XoL7gTu", + "source": { + "@timestamp": "2018-11-27T00:22:40.643Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32146", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "52.189.217.7" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "52.189.217.7", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192423 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QdGLUmcBTFzn_XoL7gTu", + "source": { + "@timestamp": "2018-11-27T00:22:40.644Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32146", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "52.189.217.7" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "52.189.217.7", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192424, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QtGLUmcBTFzn_XoL7gTu", + "source": { + "@timestamp": "2018-11-27T00:22:40.849Z", + "process": { + "pid": "32146", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "52.189.217.7" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "52.189.217.7" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "52.189.217.7", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192425, + "result": "fail" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_9GMUmcBTFzn_XoL1xdJ", + "source": { + "@timestamp": "2018-11-27T00:23:40.121Z", + "process": { + "pid": "28213", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "139.59.133.18" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44097, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "139.59.133.18", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ANGMUmcBTFzn_XoL1xhJ", + "source": { + "@timestamp": "2018-11-27T00:23:40.125Z", + "process": { + "pid": "28213", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "139.59.133.18" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "sequence": 44098, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "139.59.133.18", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "AdGMUmcBTFzn_XoL1xhJ", + "source": { + "@timestamp": "2018-11-27T00:23:40.237Z", + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "139.59.133.18", + "type": "user-session" + } + }, + "sequence": 44099, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "139.59.133.18" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "28213", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "139.59.133.18" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ydGRUmcBTFzn_XoL6IZr", + "source": { + "@timestamp": "2018-11-27T00:29:12.188Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "54.37.154.254" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "54.37.154.254", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43119, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12362", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ytGRUmcBTFzn_XoL6IZr", + "source": { + "@timestamp": "2018-11-27T00:29:12.188Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12362", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "54.37.154.254" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "54.37.154.254", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43120, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "y9GRUmcBTFzn_XoL6IZr", + "source": { + "@timestamp": "2018-11-27T00:29:12.300Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43121, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "54.37.154.254" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "54.37.154.254", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12362", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "54.37.154.254" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "UtGRUmcBTFzn_XoL7YcV", + "source": { + "@timestamp": "2018-11-27T00:29:13.387Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "24953", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "86.104.220.26" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "86.104.220.26", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184288 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "U9GRUmcBTFzn_XoL7YcV", + "source": { + "@timestamp": "2018-11-27T00:29:13.388Z", + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "24953" + }, + "source": { + "ip": "86.104.220.26" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "86.104.220.26", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 184289, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VNGRUmcBTFzn_XoL7YcV", + "source": { + "@timestamp": "2018-11-27T00:29:13.531Z", + "process": { + "pid": "24953", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "86.104.220.26" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184290, + "result": "fail", + "session": "unset", + "data": { + "hostname": "86.104.220.26", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "86.104.220.26" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QdGPUmcBTFzn_XoLtVea", + "source": { + "@timestamp": "2018-11-27T00:26:48.111Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "process": { + "pid": "19304", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "121.162.29.165" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "121.162.29.165", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142276, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QtGPUmcBTFzn_XoLtVea", + "source": { + "@timestamp": "2018-11-27T00:26:48.112Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19304" + }, + "source": { + "ip": "121.162.29.165" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "121.162.29.165", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142277, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Q9GPUmcBTFzn_XoLtVea", + "source": { + "@timestamp": "2018-11-27T00:26:48.273Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "19304", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "121.162.29.165" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "121.162.29.165", + "terminal": "ssh" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "121.162.29.165", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 142278, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "1tGPUmcBTFzn_XoL8FvF", + "source": { + "@timestamp": "2018-11-27T00:27:03.259Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "sequence": 142279, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "103.56.207.96", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19306", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "103.56.207.96" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "19GPUmcBTFzn_XoL8FvF", + "source": { + "@timestamp": "2018-11-27T00:27:03.260Z", + "process": { + "pid": "19306", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "103.56.207.96" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "103.56.207.96" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + }, + "sequence": 142280 + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2NGPUmcBTFzn_XoL8FvF", + "source": { + "@timestamp": "2018-11-27T00:27:03.463Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19306", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "103.56.207.96" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "103.56.207.96", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "103.56.207.96" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142281, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "l9GQUmcBTFzn_XoL0m8i", + "source": { + "@timestamp": "2018-11-27T00:28:00.952Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31904" + }, + "source": { + "ip": "122.152.225.120" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186260, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "122.152.225.120", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "mNGQUmcBTFzn_XoL0m8i", + "source": { + "@timestamp": "2018-11-27T00:28:00.954Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31904" + }, + "source": { + "ip": "122.152.225.120" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186261, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "122.152.225.120", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "mdGQUmcBTFzn_XoL0m8i", + "source": { + "@timestamp": "2018-11-27T00:28:01.157Z", + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "122.152.225.120" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "122.152.225.120" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 186262, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31904" + }, + "source": { + "ip": "122.152.225.120" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "nNGTUmcBTFzn_XoLCp-5", + "source": { + "@timestamp": "2018-11-27T00:30:26.511Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32530" + }, + "source": { + "ip": "173.167.200.227" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "173.167.200.227" + } + }, + "sequence": 192434 + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ndGTUmcBTFzn_XoLCp-5", + "source": { + "@timestamp": "2018-11-27T00:30:26.512Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32530", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "173.167.200.227" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "173.167.200.227", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192435, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ntGTUmcBTFzn_XoLCp-5", + "source": { + "@timestamp": "2018-11-27T00:30:26.557Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32530", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "173.167.200.227" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "173.167.200.227", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192436, + "result": "fail", + "session": "unset", + "data": { + "hostname": "173.167.200.227", + "terminal": "ssh", + "op": "PAM:bad_ident" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "zdGQUmcBTFzn_XoLtmz7", + "source": { + "@timestamp": "2018-11-27T00:27:54.000Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "31902", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "184.170.7.230" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186257, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "184.170.7.230", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ztGQUmcBTFzn_XoLtmz7", + "source": { + "@timestamp": "2018-11-27T00:27:54.002Z", + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "31902", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "184.170.7.230" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "184.170.7.230", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186258, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "z9GQUmcBTFzn_XoLtmz7", + "source": { + "@timestamp": "2018-11-27T00:27:54.541Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "31902", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "184.170.7.230" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "184.170.7.230" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "184.170.7.230", + "type": "user-session" + } + }, + "sequence": 186259, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QdGSUmcBTFzn_XoLx5oM", + "source": { + "@timestamp": "2018-11-27T00:30:09.185Z", + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12372" + }, + "source": { + "ip": "86.229.8.199" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "86.229.8.199", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43125, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QtGSUmcBTFzn_XoLx5oM", + "source": { + "@timestamp": "2018-11-27T00:30:09.185Z", + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "86.229.8.199" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43126, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12372", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "86.229.8.199" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Q9GSUmcBTFzn_XoLx5oM", + "source": { + "@timestamp": "2018-11-27T00:30:09.329Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12372" + }, + "source": { + "ip": "86.229.8.199" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "86.229.8.199", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43127, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "86.229.8.199", + "op": "PAM:bad_ident" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6tGSUmcBTFzn_XoLe5Pk", + "source": { + "@timestamp": "2018-11-27T00:29:49.943Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12370", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "138.197.44.25" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43122, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "138.197.44.25", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "69GSUmcBTFzn_XoLe5Pk", + "source": { + "@timestamp": "2018-11-27T00:29:49.943Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "12370", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "138.197.44.25" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "sshd", + "secondary": "138.197.44.25", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 43123, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + } + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7NGSUmcBTFzn_XoLe5Pk", + "source": { + "@timestamp": "2018-11-27T00:29:49.975Z", + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "138.197.44.25", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "138.197.44.25", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43124, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12370", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "138.197.44.25" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "59GRUmcBTFzn_XoLFXXo", + "source": { + "@timestamp": "2018-11-27T00:28:18.298Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "28318" + }, + "source": { + "ip": "200.35.110.58" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "200.35.110.58" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 44112 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6NGRUmcBTFzn_XoLFXXo", + "source": { + "@timestamp": "2018-11-27T00:28:18.298Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "28318" + }, + "source": { + "ip": "200.35.110.58" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44113, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "200.35.110.58", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6dGRUmcBTFzn_XoLFXXo", + "source": { + "@timestamp": "2018-11-27T00:28:18.414Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "200.35.110.58", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "200.35.110.58", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44114 + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "28318", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "200.35.110.58" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "r9KXUmcBTFzn_XoLtQab", + "source": { + "@timestamp": "2018-11-27T00:35:32.401Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31943", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "164.132.43.198" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "164.132.43.198" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186269, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sNKXUmcBTFzn_XoLtQab", + "source": { + "@timestamp": "2018-11-27T00:35:32.402Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "sequence": 186270, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "164.132.43.198", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31943" + }, + "source": { + "ip": "164.132.43.198" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sdKXUmcBTFzn_XoLtQab", + "source": { + "@timestamp": "2018-11-27T00:35:32.510Z", + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "31943", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "164.132.43.198" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186271, + "result": "fail", + "session": "unset", + "data": { + "hostname": "164.132.43.198", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "164.132.43.198", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CNKXUmcBTFzn_XoLxggy", + "source": { + "@timestamp": "2018-11-27T00:35:36.648Z", + "process": { + "pid": "19353", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.55.214.3" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "46.55.214.3", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142285 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CdKXUmcBTFzn_XoLxggy", + "source": { + "@timestamp": "2018-11-27T00:35:36.650Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "sequence": 142286, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "46.55.214.3" + } + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19353", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.55.214.3" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CtKXUmcBTFzn_XoLxggy", + "source": { + "@timestamp": "2018-11-27T00:35:36.800Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "46.55.214.3" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 142287, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "46.55.214.3" + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "19353", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.55.214.3" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "S9KYUmcBTFzn_XoL9yJk", + "source": { + "@timestamp": "2018-11-27T00:36:54.778Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "125.63.92.170", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142288 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19361" + }, + "source": { + "ip": "125.63.92.170" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TNKYUmcBTFzn_XoL9yJk", + "source": { + "@timestamp": "2018-11-27T00:36:54.779Z", + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "125.63.92.170", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142289, + "result": "fail" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "19361", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "125.63.92.170" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TdKYUmcBTFzn_XoL9yJk", + "source": { + "@timestamp": "2018-11-27T00:36:55.043Z", + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19361", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "125.63.92.170" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "125.63.92.170", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142290, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "125.63.92.170" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8tKZUmcBTFzn_XoLZyud", + "source": { + "@timestamp": "2018-11-27T00:37:23.507Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "180.151.228.58", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186272 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31951" + }, + "source": { + "ip": "180.151.228.58" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "89KZUmcBTFzn_XoLZyud", + "source": { + "@timestamp": "2018-11-27T00:37:23.508Z", + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "180.151.228.58", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186273, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31951", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "180.151.228.58" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "9NKZUmcBTFzn_XoLZyud", + "source": { + "@timestamp": "2018-11-27T00:37:23.776Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31951", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "180.151.228.58" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "180.151.228.58", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186274, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "180.151.228.58" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BtGWUmcBTFzn_XoLwfK7", + "source": { + "@timestamp": "2018-11-27T00:34:29.968Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32558", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "211.24.100.205" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "211.24.100.205", + "type": "user-session" + } + }, + "sequence": 192440, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "B9GWUmcBTFzn_XoLwfK7", + "source": { + "@timestamp": "2018-11-27T00:34:29.969Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "pid": "32558", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "211.24.100.205" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "211.24.100.205", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192441, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CNGWUmcBTFzn_XoLwfK7", + "source": { + "@timestamp": "2018-11-27T00:34:30.179Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32558" + }, + "source": { + "ip": "211.24.100.205" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "211.24.100.205" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "211.24.100.205", + "type": "user-session" + } + }, + "sequence": 192442 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "pdKaUmcBTFzn_XoL802l", + "source": { + "@timestamp": "2018-11-27T00:39:04.878Z", + "process": { + "pid": "31959", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.251.239.72" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "46.251.239.72" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186275, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ptKaUmcBTFzn_XoL802l", + "source": { + "@timestamp": "2018-11-27T00:39:04.879Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "31959", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.251.239.72" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186276, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "46.251.239.72", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "p9KaUmcBTFzn_XoL802l", + "source": { + "@timestamp": "2018-11-27T00:39:04.990Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "31959", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.251.239.72" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "46.251.239.72", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186277, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "46.251.239.72" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "r9KXUmcBTFzn_XoLowUZ", + "source": { + "@timestamp": "2018-11-27T00:35:27.663Z", + "source": { + "ip": "185.254.97.113" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "185.254.97.113", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186266, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31941", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sNKXUmcBTFzn_XoLowUZ", + "source": { + "@timestamp": "2018-11-27T00:35:27.664Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "185.254.97.113" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "185.254.97.113" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186267, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31941", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sdKXUmcBTFzn_XoLowUZ", + "source": { + "@timestamp": "2018-11-27T00:35:27.773Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31941", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.254.97.113" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "185.254.97.113", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186268, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "185.254.97.113" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "h9GWUmcBTFzn_XoL7_UK", + "source": { + "@timestamp": "2018-11-27T00:34:41.567Z", + "process": { + "pid": "19345", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "202.84.76.146" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "202.84.76.146", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142282 + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "iNGWUmcBTFzn_XoL7_UK", + "source": { + "@timestamp": "2018-11-27T00:34:41.568Z", + "process": { + "pid": "19345", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "202.84.76.146" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "202.84.76.146", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 142283 + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "idGWUmcBTFzn_XoL7_UK", + "source": { + "@timestamp": "2018-11-27T00:34:41.795Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "process": { + "pid": "19345", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "202.84.76.146" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "202.84.76.146" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "202.84.76.146", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142284, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "StKaUmcBTFzn_XoL5kzE", + "source": { + "@timestamp": "2018-11-27T00:39:01.594Z", + "auditd": { + "result": "success", + "session": "unset", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:accounting" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 184300 + }, + "event": { + "category": "user-login", + "type": "user_acct", + "action": "was-authorized", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "25011" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "S9KaUmcBTFzn_XoL5kzE", + "source": { + "@timestamp": "2018-11-27T00:39:01.594Z", + "process": { + "pid": "25011", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 184301, + "result": "success", + "session": "unset", + "data": { + "terminal": "cron", + "op": "PAM:setcred", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TNKaUmcBTFzn_XoL5kzE", + "source": { + "@timestamp": "2018-11-27T00:39:01.596Z", + "event": { + "type": "user_start", + "action": "started-session", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "25011", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "result": "success", + "session": "9856", + "data": { + "acct": "root", + "op": "PAM:session_open", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184303 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TdKaUmcBTFzn_XoL5kzE", + "source": { + "@timestamp": "2018-11-27T00:39:01.697Z", + "auditd": { + "session": "9856", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:setcred" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + } + }, + "sequence": 184304, + "result": "success" + }, + "event": { + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials", + "module": "auditd" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "25011", + "exe": "/usr/sbin/cron" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TtKaUmcBTFzn_XoL5kzE", + "source": { + "@timestamp": "2018-11-27T00:39:01.698Z", + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "25011", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "terminal": "cron", + "op": "PAM:session_close", + "acct": "root" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + }, + "sequence": 184305, + "result": "success", + "session": "9856" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "V9KaUmcBTFzn_XoL50x5", + "source": { + "@timestamp": "2018-11-27T00:39:01.774Z", + "auditd": { + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:accounting" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 192443, + "result": "success", + "session": "unset" + }, + "event": { + "type": "user_acct", + "action": "was-authorized", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32579", + "exe": "/usr/sbin/cron" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WNKaUmcBTFzn_XoL50x5", + "source": { + "@timestamp": "2018-11-27T00:39:01.774Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "32579" + }, + "auditd": { + "sequence": 192444, + "result": "success", + "session": "unset", + "data": { + "op": "PAM:setcred", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WdKaUmcBTFzn_XoL50x5", + "source": { + "@timestamp": "2018-11-27T00:39:01.776Z", + "process": { + "pid": "32579", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "9860", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:session_open" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 192446, + "result": "success" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_start", + "action": "started-session", + "module": "auditd" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WtKaUmcBTFzn_XoL50x5", + "source": { + "@timestamp": "2018-11-27T00:39:01.873Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + }, + "sequence": 192447, + "result": "success", + "session": "9860", + "data": { + "op": "PAM:setcred", + "acct": "root", + "terminal": "cron" + } + }, + "event": { + "action": "disposed-credentials", + "module": "auditd", + "category": "user-login", + "type": "cred_disp" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32579", + "exe": "/usr/sbin/cron" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "W9KaUmcBTFzn_XoL50x5", + "source": { + "@timestamp": "2018-11-27T00:39:01.874Z", + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "pid": "32579", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "terminal": "cron", + "op": "PAM:session_close", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 192448, + "result": "success", + "session": "9860" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "W9KbUmcBTFzn_XoLP1QB", + "source": { + "@timestamp": "2018-11-27T00:39:24.137Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "138.68.111.27", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44121, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "28526", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "138.68.111.27" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XNKbUmcBTFzn_XoLP1QB", + "source": { + "@timestamp": "2018-11-27T00:39:24.137Z", + "source": { + "ip": "138.68.111.27" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "138.68.111.27", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44122, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "28526", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XdKbUmcBTFzn_XoLP1QB", + "source": { + "@timestamp": "2018-11-27T00:39:24.241Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "28526", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "138.68.111.27" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "138.68.111.27" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "138.68.111.27", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44123 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CNKiUmcBTFzn_XoLvfm3", + "source": { + "@timestamp": "2018-11-27T00:47:35.372Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19424", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "137.74.114.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "sequence": 142300, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "137.74.114.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CdKiUmcBTFzn_XoLvfm3", + "source": { + "@timestamp": "2018-11-27T00:47:35.374Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19424" + }, + "source": { + "ip": "137.74.114.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "secondary": "137.74.114.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 142301, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CtKiUmcBTFzn_XoLvfm3", + "source": { + "@timestamp": "2018-11-27T00:47:35.480Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19424" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "137.74.114.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "137.74.114.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142302, + "result": "fail", + "session": "unset", + "data": { + "hostname": "137.74.114.109", + "op": "PAM:bad_ident", + "terminal": "ssh" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qdOkUmcBTFzn_XoLDBVT", + "source": { + "@timestamp": "2018-11-27T00:49:01.033Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "25113", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "121.67.246.139" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "121.67.246.139", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184309, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qtOkUmcBTFzn_XoLDBVT", + "source": { + "@timestamp": "2018-11-27T00:49:01.034Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184310, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "121.67.246.139", + "type": "user-session" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "25113", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "121.67.246.139" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "q9OkUmcBTFzn_XoLDBVT", + "source": { + "@timestamp": "2018-11-27T00:49:01.224Z", + "auditd": { + "data": { + "hostname": "121.67.246.139", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "121.67.246.139", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184311, + "result": "fail", + "session": "unset" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "25113", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "121.67.246.139" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qNOkUmcBTFzn_XoLgx_7", + "source": { + "@timestamp": "2018-11-27T00:49:31.664Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "25115", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "179.228.242.120" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "179.228.242.120", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184312, + "result": "fail" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qdOkUmcBTFzn_XoLgx_7", + "source": { + "@timestamp": "2018-11-27T00:49:31.665Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "25115", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "179.228.242.120" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "179.228.242.120", + "type": "user-session" + } + }, + "sequence": 184313, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qtOkUmcBTFzn_XoLgx_7", + "source": { + "@timestamp": "2018-11-27T00:49:31.831Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "25115", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "179.228.242.120" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "179.228.242.120", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184314, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "179.228.242.120" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BtKiUmcBTFzn_XoL-P7X", + "source": { + "@timestamp": "2018-11-27T00:47:50.509Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19431", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "39.110.219.91" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "39.110.219.91", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142303, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "B9KiUmcBTFzn_XoL-P7X", + "source": { + "@timestamp": "2018-11-27T00:47:50.511Z", + "source": { + "ip": "39.110.219.91" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142304, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "39.110.219.91", + "type": "user-session" + } + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19431", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CNKiUmcBTFzn_XoL-P7X", + "source": { + "@timestamp": "2018-11-27T00:47:50.642Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19431", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "39.110.219.91" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "39.110.219.91", + "type": "user-session" + } + }, + "sequence": 142305, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "39.110.219.91" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "X9OkUmcBTFzn_XoLABX7", + "source": { + "@timestamp": "2018-11-27T00:48:58.129Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19439", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "41.89.47.14" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142306, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "41.89.47.14", + "type": "user-session" + } + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YNOkUmcBTFzn_XoLABX7", + "source": { + "@timestamp": "2018-11-27T00:48:58.130Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "41.89.47.14", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142307, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19439", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "41.89.47.14" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YdOkUmcBTFzn_XoLABX7", + "source": { + "@timestamp": "2018-11-27T00:48:58.365Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "41.89.47.14", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "object": { + "secondary": "41.89.47.14", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 142308 + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19439", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "41.89.47.14" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gNOkUmcBTFzn_XoL8ilB", + "source": { + "@timestamp": "2018-11-27T00:49:59.894Z", + "process": { + "pid": "32019", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "105.16.153.210" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "105.16.153.210", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186284 + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gdOkUmcBTFzn_XoL8ilB", + "source": { + "@timestamp": "2018-11-27T00:49:59.895Z", + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32019", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "105.16.153.210" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "105.16.153.210", + "type": "user-session" + } + }, + "sequence": 186285, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gtOkUmcBTFzn_XoL8ilB", + "source": { + "@timestamp": "2018-11-27T00:50:00.158Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32019", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "105.16.153.210" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186286, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "105.16.153.210", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "105.16.153.210" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FdOlUmcBTFzn_XoLkjc2", + "source": { + "@timestamp": "2018-11-27T00:50:40.838Z", + "source": { + "ip": "188.166.243.150" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44130, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "188.166.243.150", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "28746", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FtOlUmcBTFzn_XoLkjc2", + "source": { + "@timestamp": "2018-11-27T00:50:40.842Z", + "source": { + "ip": "188.166.243.150" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "188.166.243.150", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 44131 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "28746" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "F9OlUmcBTFzn_XoLkjc2", + "source": { + "@timestamp": "2018-11-27T00:50:41.034Z", + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "188.166.243.150", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "188.166.243.150" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 44132, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "28746", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "188.166.243.150" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JdOmUmcBTFzn_XoLCEHk", + "source": { + "@timestamp": "2018-11-27T00:51:11.223Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43140, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "194.35.114.10" + } + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12495", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "194.35.114.10" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JtOmUmcBTFzn_XoLCEHk", + "source": { + "@timestamp": "2018-11-27T00:51:11.223Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12495" + }, + "source": { + "ip": "194.35.114.10" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "194.35.114.10" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43141, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "J9OmUmcBTFzn_XoLCEHk", + "source": { + "@timestamp": "2018-11-27T00:51:11.503Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12495" + }, + "source": { + "ip": "194.35.114.10" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "194.35.114.10", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "194.35.114.10", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43142 + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0dOlUmcBTFzn_XoLvzre", + "source": { + "@timestamp": "2018-11-27T00:50:52.531Z", + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "104.131.178.223", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44133, + "result": "fail" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "28750", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.131.178.223" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0tOlUmcBTFzn_XoLvzre", + "source": { + "@timestamp": "2018-11-27T00:50:52.531Z", + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "104.131.178.223", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 44134, + "result": "fail" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "28750" + }, + "source": { + "ip": "104.131.178.223" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "09OlUmcBTFzn_XoLvzre", + "source": { + "@timestamp": "2018-11-27T00:50:52.559Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "28750", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.131.178.223" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "104.131.178.223" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "104.131.178.223", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44135 + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7NSvUmcBTFzn_XoL9Rog", + "source": { + "@timestamp": "2018-11-27T01:02:01.525Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "25194", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "211.219.52.136" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "211.219.52.136" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184321, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7dSvUmcBTFzn_XoL9Rog", + "source": { + "@timestamp": "2018-11-27T01:02:01.526Z", + "auditd": { + "sequence": 184322, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "211.219.52.136", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "25194", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "211.219.52.136" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7tSvUmcBTFzn_XoL9Rog", + "source": { + "@timestamp": "2018-11-27T01:02:01.686Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "25194", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "211.219.52.136" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "211.219.52.136", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184323, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "211.219.52.136" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "btOsUmcBTFzn_XoLdc7t", + "source": { + "@timestamp": "2018-11-27T00:58:12.354Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19491", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.234.241.55" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "91.234.241.55", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142312, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "b9OsUmcBTFzn_XoLdc7t", + "source": { + "@timestamp": "2018-11-27T00:58:12.355Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19491" + }, + "source": { + "ip": "91.234.241.55" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "91.234.241.55", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 142313, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cNOsUmcBTFzn_XoLdc7t", + "source": { + "@timestamp": "2018-11-27T00:58:12.497Z", + "source": { + "ip": "91.234.241.55" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "ssh", + "secondary": "91.234.241.55", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 142314, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "91.234.241.55" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19491" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VtOsUmcBTFzn_XoLGcfx", + "source": { + "@timestamp": "2018-11-27T00:57:48.807Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19483", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.0.121.168" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142309, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "128.0.121.168", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "V9OsUmcBTFzn_XoLGcfx", + "source": { + "@timestamp": "2018-11-27T00:57:48.808Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19483", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.0.121.168" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "128.0.121.168", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 142310 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WNOsUmcBTFzn_XoLGcfx", + "source": { + "@timestamp": "2018-11-27T00:57:48.917Z", + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "19483", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.0.121.168" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142311, + "result": "fail", + "session": "unset", + "data": { + "hostname": "128.0.121.168", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "128.0.121.168", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "p9SvUmcBTFzn_XoLTQyw", + "source": { + "@timestamp": "2018-11-27T01:01:18.662Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "220.135.55.172", + "type": "user-session" + } + }, + "sequence": 192458, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32763", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "220.135.55.172" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qNSvUmcBTFzn_XoLTQyw", + "source": { + "@timestamp": "2018-11-27T01:01:18.663Z", + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "220.135.55.172", + "type": "user-session" + } + }, + "sequence": 192459, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32763", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "220.135.55.172" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qdSvUmcBTFzn_XoLTQyw", + "source": { + "@timestamp": "2018-11-27T01:01:18.839Z", + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "220.135.55.172" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "220.135.55.172" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192460, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32763", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "220.135.55.172" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ztOuUmcBTFzn_XoLCvAK", + "source": { + "@timestamp": "2018-11-27T00:59:55.808Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19499", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "13.77.75.153" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "13.77.75.153", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142315 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "z9OuUmcBTFzn_XoLCvAK", + "source": { + "@timestamp": "2018-11-27T00:59:55.809Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19499" + }, + "source": { + "ip": "13.77.75.153" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "13.77.75.153", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142316, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0NOuUmcBTFzn_XoLCvAK", + "source": { + "@timestamp": "2018-11-27T00:59:55.852Z", + "process": { + "pid": "19499", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "13.77.75.153" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "13.77.75.153", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142317, + "result": "fail", + "session": "unset", + "data": { + "hostname": "13.77.75.153", + "op": "PAM:bad_ident", + "terminal": "ssh" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "59SwUmcBTFzn_XoLmSiw", + "source": { + "@timestamp": "2018-11-27T01:02:43.654Z", + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186290, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32075", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6NSwUmcBTFzn_XoLmSiw", + "source": { + "@timestamp": "2018-11-27T01:02:43.655Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32075", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186291, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6dSwUmcBTFzn_XoLmSiw", + "source": { + "@timestamp": "2018-11-27T01:02:43.688Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32075", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "107.170.65.109", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186292, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ANSwUmcBTFzn_XoL0C7C", + "source": { + "@timestamp": "2018-11-27T01:02:57.752Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32082", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186293, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "AdSwUmcBTFzn_XoL0C7C", + "source": { + "@timestamp": "2018-11-27T01:02:57.754Z", + "process": { + "pid": "32082", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 186294, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "AtSwUmcBTFzn_XoL0C7C", + "source": { + "@timestamp": "2018-11-27T01:02:57.784Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32082" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186295 + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "t9OuUmcBTFzn_XoLHfKW", + "source": { + "@timestamp": "2018-11-27T01:00:00.805Z", + "source": { + "ip": "178.128.127.228" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "178.128.127.228", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 44145, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "28933", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "uNOuUmcBTFzn_XoLHfKW", + "source": { + "@timestamp": "2018-11-27T01:00:00.809Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "28933", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.128.127.228" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44146, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "178.128.127.228", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "udOuUmcBTFzn_XoLHfKW", + "source": { + "@timestamp": "2018-11-27T01:00:01.001Z", + "auditd": { + "sequence": 44147, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "178.128.127.228" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "178.128.127.228", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "28933", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.128.127.228" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "bNOtUmcBTFzn_XoL8u_M", + "source": { + "@timestamp": "2018-11-27T00:59:49.852Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "164.132.197.108", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44142, + "result": "fail" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "28930" + }, + "source": { + "ip": "164.132.197.108" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "bdOtUmcBTFzn_XoL8u_M", + "source": { + "@timestamp": "2018-11-27T00:59:49.852Z", + "auditd": { + "sequence": 44143, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "164.132.197.108", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "28930", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "164.132.197.108" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "btOtUmcBTFzn_XoL8u_M", + "source": { + "@timestamp": "2018-11-27T00:59:49.964Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "28930", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "164.132.197.108" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44144, + "result": "fail", + "session": "unset", + "data": { + "hostname": "164.132.197.108", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "164.132.197.108" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ptS1UmcBTFzn_XoL0JuA", + "source": { + "@timestamp": "2018-11-27T01:08:25.366Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "345" + }, + "source": { + "ip": "5.186.77.221" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "5.186.77.221", + "type": "user-session" + } + }, + "sequence": 192473 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "p9S1UmcBTFzn_XoL0JuA", + "source": { + "@timestamp": "2018-11-27T01:08:25.367Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192474, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "5.186.77.221" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "345" + }, + "source": { + "ip": "5.186.77.221" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qNS1UmcBTFzn_XoL0JuA", + "source": { + "@timestamp": "2018-11-27T01:08:25.506Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "345" + }, + "source": { + "ip": "5.186.77.221" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192475, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "5.186.77.221", + "terminal": "ssh" + }, + "summary": { + "object": { + "secondary": "5.186.77.221", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-NS1UmcBTFzn_XoL2Jxv", + "source": { + "@timestamp": "2018-11-27T01:08:27.396Z", + "source": { + "ip": "24.37.251.196" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186326, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "24.37.251.196", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32127", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-dS1UmcBTFzn_XoL2Jxv", + "source": { + "@timestamp": "2018-11-27T01:08:27.397Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32127" + }, + "source": { + "ip": "24.37.251.196" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "24.37.251.196", + "type": "user-session" + } + }, + "sequence": 186327 + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-tS1UmcBTFzn_XoL2Jxv", + "source": { + "@timestamp": "2018-11-27T01:08:27.453Z", + "source": { + "ip": "24.37.251.196" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "24.37.251.196" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "24.37.251.196", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 186328 + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32127", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ydSzUmcBTFzn_XoLp2tF", + "source": { + "@timestamp": "2018-11-27T01:06:03.738Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "secondary": "178.128.124.241", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + }, + "sequence": 186311, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32108" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "178.128.124.241" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ytSzUmcBTFzn_XoLp2tF", + "source": { + "@timestamp": "2018-11-27T01:06:03.739Z", + "process": { + "pid": "32108", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.128.124.241" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "178.128.124.241", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186312, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "y9SzUmcBTFzn_XoLp2tF", + "source": { + "@timestamp": "2018-11-27T01:06:03.933Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32108", + "exe": "/usr/sbin/sshd" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "source": { + "ip": "178.128.124.241" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186313, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "178.128.124.241", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "secondary": "178.128.124.241", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "UtSzUmcBTFzn_XoLrWwF", + "source": { + "@timestamp": "2018-11-27T01:06:05.210Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32110" + }, + "source": { + "ip": "191.92.71.194" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186314, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "191.92.71.194", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "U9SzUmcBTFzn_XoLrWwF", + "source": { + "@timestamp": "2018-11-27T01:06:05.211Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32110" + }, + "source": { + "ip": "191.92.71.194" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "191.92.71.194", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186315 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VNSzUmcBTFzn_XoLrWwF", + "source": { + "@timestamp": "2018-11-27T01:06:05.347Z", + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "191.92.71.194" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186316, + "result": "fail", + "session": "unset", + "data": { + "hostname": "191.92.71.194", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "191.92.71.194", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32110", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ztS0UmcBTFzn_XoLK3fA", + "source": { + "@timestamp": "2018-11-27T01:06:37.654Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "327", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "106.241.53.82" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192467, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "106.241.53.82" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "z9S0UmcBTFzn_XoLK3fA", + "source": { + "@timestamp": "2018-11-27T01:06:37.655Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "106.241.53.82", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192468, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "327", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "106.241.53.82" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0NS0UmcBTFzn_XoLK3fA", + "source": { + "@timestamp": "2018-11-27T01:06:37.861Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "327", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "106.241.53.82" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "106.241.53.82", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "106.241.53.82" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192469 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "k9S0UmcBTFzn_XoLPHgu", + "source": { + "@timestamp": "2018-11-27T01:06:41.860Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "330" + }, + "source": { + "ip": "170.210.88.50" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "170.210.88.50", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192470, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "lNS0UmcBTFzn_XoLPHgu", + "source": { + "@timestamp": "2018-11-27T01:06:41.861Z", + "auditd": { + "sequence": 192471, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "170.210.88.50", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "330", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "170.210.88.50" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ldS0UmcBTFzn_XoLPHgu", + "source": { + "@timestamp": "2018-11-27T01:06:42.073Z", + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "170.210.88.50", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "170.210.88.50", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192472, + "result": "fail" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "330", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "170.210.88.50" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "bdS1UmcBTFzn_XoLo5cq", + "source": { + "@timestamp": "2018-11-27T01:08:13.760Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186323, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32125", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "btS1UmcBTFzn_XoLo5cq", + "source": { + "@timestamp": "2018-11-27T01:08:13.761Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32125" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 186324 + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "b9S1UmcBTFzn_XoLo5cq", + "source": { + "@timestamp": "2018-11-27T01:08:13.791Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32125" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186325, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.65.109", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "c9S0UmcBTFzn_XoLsoI4", + "source": { + "@timestamp": "2018-11-27T01:07:12.077Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186320, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32117", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dNS0UmcBTFzn_XoLsoI4", + "source": { + "@timestamp": "2018-11-27T01:07:12.079Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186321, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32117", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ddS0UmcBTFzn_XoLsoI4", + "source": { + "@timestamp": "2018-11-27T01:07:12.110Z", + "auditd": { + "sequence": 186322, + "result": "fail", + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32117", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "U9SzUmcBTFzn_XoLw27K", + "source": { + "@timestamp": "2018-11-27T01:06:11.040Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "sequence": 186317, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32112", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VNSzUmcBTFzn_XoLw27K", + "source": { + "@timestamp": "2018-11-27T01:06:11.041Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186318, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32112", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VdSzUmcBTFzn_XoLw27K", + "source": { + "@timestamp": "2018-11-27T01:06:11.071Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32112", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.65.109", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186319, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "o9S0UmcBTFzn_XoL1YXV", + "source": { + "@timestamp": "2018-11-27T01:07:21.191Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "104.234.223.14", + "type": "user-session" + } + }, + "sequence": 44148, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "29074", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "104.234.223.14" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "pNS0UmcBTFzn_XoL1YXV", + "source": { + "@timestamp": "2018-11-27T01:07:21.195Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "104.234.223.14", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 44149, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "29074", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.234.223.14" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "pdS0UmcBTFzn_XoL1YXV", + "source": { + "@timestamp": "2018-11-27T01:07:21.243Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "104.234.223.14", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "104.234.223.14" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44150 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "29074" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "104.234.223.14" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dtS2UmcBTFzn_XoLXqd2", + "source": { + "@timestamp": "2018-11-27T01:09:01.707Z", + "auditd": { + "result": "success", + "session": "unset", + "data": { + "op": "PAM:accounting", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184324 + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_acct", + "action": "was-authorized", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "25243", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "d9S2UmcBTFzn_XoLXqd2", + "source": { + "@timestamp": "2018-11-27T01:09:01.708Z", + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "event": { + "action": "acquired-credentials", + "module": "auditd", + "category": "user-login", + "type": "cred_acq" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "25243", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:setcred" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184325, + "result": "success" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "eNS2UmcBTFzn_XoLXqd2", + "source": { + "@timestamp": "2018-11-27T01:09:01.710Z", + "process": { + "pid": "25243", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 184327, + "result": "success", + "session": "9857", + "data": { + "terminal": "cron", + "op": "PAM:session_open", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "event": { + "action": "started-session", + "module": "auditd", + "category": "user-login", + "type": "user_start" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "edS2UmcBTFzn_XoLXqd2", + "source": { + "@timestamp": "2018-11-27T01:09:01.806Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "pid": "25243", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184328, + "result": "success", + "session": "9857", + "data": { + "terminal": "cron", + "op": "PAM:setcred", + "acct": "root" + } + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "etS2UmcBTFzn_XoLXqd2", + "source": { + "@timestamp": "2018-11-27T01:09:01.808Z", + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + }, + "user": { + "auid": "0", + "name_map": { + "uid": "root", + "auid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "25243", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 184329, + "result": "success", + "session": "9857", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:session_close" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "t9S2UmcBTFzn_XoLX6cl", + "source": { + "@timestamp": "2018-11-27T01:09:01.883Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "user_acct", + "action": "was-authorized", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "348", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 192476, + "result": "success", + "session": "unset", + "data": { + "op": "PAM:accounting", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "uNS2UmcBTFzn_XoLX6cl", + "source": { + "@timestamp": "2018-11-27T01:09:01.884Z", + "event": { + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "348", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 192477, + "result": "success", + "session": "unset", + "data": { + "op": "PAM:setcred", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "unset" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "udS2UmcBTFzn_XoLX6cl", + "source": { + "@timestamp": "2018-11-27T01:09:01.885Z", + "auditd": { + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + } + }, + "sequence": 192479, + "result": "success", + "session": "9861", + "data": { + "terminal": "cron", + "op": "PAM:session_open", + "acct": "root" + } + }, + "event": { + "category": "user-login", + "type": "user_start", + "action": "started-session", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + } + }, + "process": { + "pid": "348", + "exe": "/usr/sbin/cron" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "utS2UmcBTFzn_XoLX6cl", + "source": { + "@timestamp": "2018-11-27T01:09:01.981Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 192480, + "result": "success", + "session": "9861", + "data": { + "op": "PAM:setcred", + "terminal": "cron", + "acct": "root" + } + }, + "event": { + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials", + "module": "auditd" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "348", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "u9S2UmcBTFzn_XoLX6cl", + "source": { + "@timestamp": "2018-11-27T01:09:01.982Z", + "event": { + "type": "user_end", + "action": "ended-session", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "0", + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + } + }, + "process": { + "pid": "348", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "9861", + "data": { + "terminal": "cron", + "op": "PAM:session_close", + "acct": "root" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + } + }, + "sequence": 192481, + "result": "success" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ItS2UmcBTFzn_XoLBKBn", + "source": { + "@timestamp": "2018-11-27T01:08:38.649Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "178.33.228.67", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44151, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "29096", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.33.228.67" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "I9S2UmcBTFzn_XoLBKBn", + "source": { + "@timestamp": "2018-11-27T01:08:38.649Z", + "source": { + "ip": "178.33.228.67" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "178.33.228.67", + "type": "user-session" + } + }, + "sequence": 44152 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "29096", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JNS2UmcBTFzn_XoLBKBn", + "source": { + "@timestamp": "2018-11-27T01:08:38.757Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "29096", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.33.228.67" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "hostname": "178.33.228.67", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "178.33.228.67", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44153, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "LNS4UmcBTFzn_XoLIM6c", + "source": { + "@timestamp": "2018-11-27T01:10:56.938Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184333, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "91.230.8.194" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "91.230.8.194" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "25299", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.230.8.194" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2NS4UmcBTFzn_XoLMc9n", + "source": { + "@timestamp": "2018-11-27T01:11:01.244Z", + "process": { + "pid": "29148", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "85.234.34.92" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "85.234.34.92", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44158, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2dS4UmcBTFzn_XoLMc9n", + "source": { + "@timestamp": "2018-11-27T01:11:01.244Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "29148", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "85.234.34.92" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "85.234.34.92" + } + }, + "sequence": 44159, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2tS4UmcBTFzn_XoLMc9n", + "source": { + "@timestamp": "2018-11-27T01:11:01.400Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "29148" + }, + "source": { + "ip": "85.234.34.92" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44160, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "85.234.34.92", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "85.234.34.92" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ctS3UmcBTFzn_XoLgcD-", + "source": { + "@timestamp": "2018-11-27T01:10:16.337Z", + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "79.137.64.132", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186333, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32141", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "79.137.64.132" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "c9S3UmcBTFzn_XoLgcD-", + "source": { + "@timestamp": "2018-11-27T01:10:16.339Z", + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "79.137.64.132" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186334, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "79.137.64.132", + "type": "user-session" + } + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32141" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dNS3UmcBTFzn_XoLgcD-", + "source": { + "@timestamp": "2018-11-27T01:10:16.445Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "79.137.64.132" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186335, + "result": "fail", + "session": "unset", + "data": { + "hostname": "79.137.64.132", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "79.137.64.132", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32141", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "u9S3UmcBTFzn_XoLh8GC", + "source": { + "@timestamp": "2018-11-27T01:10:17.752Z", + "auditd": { + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186336, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32148", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Z9S2UmcBTFzn_XoLtK-X", + "source": { + "@timestamp": "2018-11-27T01:09:23.757Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192482, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "109.202.18.235", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "process": { + "pid": "397", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "109.202.18.235" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "aNS2UmcBTFzn_XoLtK-X", + "source": { + "@timestamp": "2018-11-27T01:09:23.758Z", + "process": { + "pid": "397", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "109.202.18.235" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "109.202.18.235", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192483, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "adS2UmcBTFzn_XoLtK-X", + "source": { + "@timestamp": "2018-11-27T01:09:23.948Z", + "source": { + "ip": "109.202.18.235" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192484, + "result": "fail", + "session": "unset", + "data": { + "hostname": "109.202.18.235", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "109.202.18.235" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "397" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BdS4UmcBTFzn_XoLFs5k", + "source": { + "@timestamp": "2018-11-27T01:10:54.329Z", + "auditd": { + "sequence": 184330, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "188.68.54.39", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "25297", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "188.68.54.39" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BtS4UmcBTFzn_XoLFs5k", + "source": { + "@timestamp": "2018-11-27T01:10:54.330Z", + "auditd": { + "sequence": 184331, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "188.68.54.39", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "25297", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "188.68.54.39" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "B9S4UmcBTFzn_XoLFs5k", + "source": { + "@timestamp": "2018-11-27T01:10:54.443Z", + "source": { + "ip": "188.68.54.39" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184332, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "188.68.54.39", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "188.68.54.39", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "25297", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "F9S2UmcBTFzn_XoLf6s6", + "source": { + "@timestamp": "2018-11-27T01:09:10.091Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "46.148.18.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186329 + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32135", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.148.18.163" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GNS2UmcBTFzn_XoLf6s6", + "source": { + "@timestamp": "2018-11-27T01:09:10.092Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32135", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "46.148.18.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186330, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GdS2UmcBTFzn_XoLf6s6", + "source": { + "@timestamp": "2018-11-27T01:09:10.235Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32135" + }, + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "46.148.18.163" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "46.148.18.163", + "type": "user-session" + } + }, + "sequence": 186331, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "l9S2UmcBTFzn_XoLxbHN", + "source": { + "@timestamp": "2018-11-27T01:09:28.162Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "399", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "103.68.38.86" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192485, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "103.68.38.86", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "mNS2UmcBTFzn_XoLxbHN", + "source": { + "@timestamp": "2018-11-27T01:09:28.163Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "103.68.38.86" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192486 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "399" + }, + "source": { + "ip": "103.68.38.86" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "mdS2UmcBTFzn_XoLxbHN", + "source": { + "@timestamp": "2018-11-27T01:09:28.435Z", + "auditd": { + "summary": { + "object": { + "primary": "ssh", + "secondary": "103.68.38.86", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 192487, + "result": "fail", + "session": "unset", + "data": { + "hostname": "103.68.38.86", + "op": "PAM:bad_ident", + "terminal": "ssh" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "399", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "103.68.38.86" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KdS3UmcBTFzn_XoL-8sa", + "source": { + "@timestamp": "2018-11-27T01:10:47.311Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "29142", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.38.37.69" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44155, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "51.38.37.69", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KtS3UmcBTFzn_XoL-8sa", + "source": { + "@timestamp": "2018-11-27T01:10:47.315Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "29142", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.38.37.69" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "51.38.37.69", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44156, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "K9S3UmcBTFzn_XoL-8sa", + "source": { + "@timestamp": "2018-11-27T01:10:47.419Z", + "auditd": { + "data": { + "terminal": "ssh", + "hostname": "51.38.37.69", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "51.38.37.69" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44157, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "29142" + }, + "source": { + "ip": "51.38.37.69" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "itS2UmcBTFzn_XoLlayd", + "source": { + "@timestamp": "2018-11-27T01:09:15.827Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32137", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "107.170.65.109", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 186332 + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "I9S3UmcBTFzn_XoLlcLB", + "source": { + "@timestamp": "2018-11-27T01:10:21.397Z", + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "29135", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "142.93.31.198" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "142.93.31.198" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "142.93.31.198", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44154, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "PdW9UmcBTFzn_XoLr0tl", + "source": { + "@timestamp": "2018-11-27T01:17:01.176Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "29271" + }, + "auditd": { + "sequence": 44173, + "result": "success", + "session": "unset", + "data": { + "op": "PAM:accounting", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "unset" + } + } + }, + "event": { + "type": "user_acct", + "action": "was-authorized", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "PtW9UmcBTFzn_XoLr0tl", + "source": { + "@timestamp": "2018-11-27T01:17:01.176Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "29271", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "summary": { + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 44174, + "result": "success", + "session": "unset", + "data": { + "acct": "root", + "op": "PAM:setcred", + "terminal": "cron" + } + }, + "event": { + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "P9W9UmcBTFzn_XoLr0tl", + "source": { + "@timestamp": "2018-11-27T01:17:01.180Z", + "process": { + "pid": "29271", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 44176, + "result": "success", + "session": "1444", + "data": { + "op": "PAM:session_open", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "event": { + "type": "user_start", + "action": "started-session", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QNW9UmcBTFzn_XoLr0tl", + "source": { + "@timestamp": "2018-11-27T01:17:01.180Z", + "process": { + "pid": "29271", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 44177, + "result": "success", + "session": "1444", + "data": { + "op": "PAM:setcred", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "action": "disposed-credentials", + "module": "auditd", + "category": "user-login", + "type": "cred_disp" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0", + "auid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QdW9UmcBTFzn_XoLr0tl", + "source": { + "@timestamp": "2018-11-27T01:17:01.180Z", + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "29271", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 44178, + "result": "success", + "session": "1444", + "data": { + "op": "PAM:session_close", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "root" + } + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_end", + "action": "ended-session" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QtW9UmcBTFzn_XoLr0ty", + "source": { + "@timestamp": "2018-11-27T01:17:01.191Z", + "event": { + "category": "user-login", + "type": "user_acct", + "action": "was-authorized", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "19593", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 142321, + "result": "success", + "session": "unset", + "data": { + "acct": "root", + "op": "PAM:accounting", + "terminal": "cron" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Q9W9UmcBTFzn_XoLr0ty", + "source": { + "@timestamp": "2018-11-27T01:17:01.191Z", + "process": { + "pid": "19593", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "terminal": "cron", + "op": "PAM:setcred", + "acct": "root" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + }, + "sequence": 142322, + "result": "success", + "session": "unset" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "event": { + "action": "acquired-credentials", + "module": "auditd", + "category": "user-login", + "type": "cred_acq" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "RNW9UmcBTFzn_XoLr0ty", + "source": { + "@timestamp": "2018-11-27T01:17:01.193Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_start", + "action": "started-session" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0", + "auid": "0" + }, + "process": { + "pid": "19593", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 142324, + "result": "success", + "session": "3503", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:session_open" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "RdW9UmcBTFzn_XoLr0ty", + "source": { + "@timestamp": "2018-11-27T01:17:01.196Z", + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19593", + "exe": "/usr/sbin/cron" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 142325, + "result": "success", + "session": "3503", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:setcred" + } + }, + "event": { + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "RtW9UmcBTFzn_XoLr0ty", + "source": { + "@timestamp": "2018-11-27T01:17:01.196Z", + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19593", + "exe": "/usr/sbin/cron" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "data": { + "op": "PAM:session_close", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + } + }, + "sequence": 142326, + "result": "success", + "session": "3503" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WdW9UmcBTFzn_XoLr0uP", + "source": { + "@timestamp": "2018-11-27T01:17:01.214Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "12641", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "terminal": "cron", + "op": "PAM:accounting", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 43155, + "result": "success", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_acct", + "action": "was-authorized", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WtW9UmcBTFzn_XoLr0uP", + "source": { + "@timestamp": "2018-11-27T01:17:01.214Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "12641", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "result": "success", + "session": "unset", + "data": { + "op": "PAM:setcred", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + }, + "sequence": 43156 + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "W9W9UmcBTFzn_XoLr0uP", + "source": { + "@timestamp": "2018-11-27T01:17:01.218Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_start", + "action": "started-session", + "module": "auditd" + }, + "user": { + "auid": "0", + "uid": "0", + "name_map": { + "uid": "root", + "auid": "root" + } + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "12641" + }, + "auditd": { + "data": { + "op": "PAM:session_open", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 43158, + "result": "success", + "session": "1252" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XNW9UmcBTFzn_XoLr0uP", + "source": { + "@timestamp": "2018-11-27T01:17:01.218Z", + "auditd": { + "sequence": 43159, + "result": "success", + "session": "1252", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:setcred" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials" + }, + "user": { + "uid": "0", + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + } + }, + "process": { + "pid": "12641", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XdW9UmcBTFzn_XoLr0uP", + "source": { + "@timestamp": "2018-11-27T01:17:01.222Z", + "process": { + "pid": "12641", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "1252", + "data": { + "terminal": "cron", + "op": "PAM:session_close", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 43160, + "result": "success" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "action": "ended-session", + "module": "auditd", + "category": "user-login", + "type": "user_end" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "adW9UmcBTFzn_XoLsUvf", + "source": { + "@timestamp": "2018-11-27T01:17:01.812Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_acct", + "action": "was-authorized" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "process": { + "pid": "25339", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 184337, + "result": "success", + "session": "unset", + "data": { + "op": "PAM:accounting", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "atW9UmcBTFzn_XoLsUvf", + "source": { + "@timestamp": "2018-11-27T01:17:01.813Z", + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "action": "acquired-credentials", + "module": "auditd", + "category": "user-login", + "type": "cred_acq" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "25339", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184338, + "result": "success", + "session": "unset", + "data": { + "acct": "root", + "op": "PAM:setcred", + "terminal": "cron" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "a9W9UmcBTFzn_XoLsUvf", + "source": { + "@timestamp": "2018-11-27T01:17:01.814Z", + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "25339", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "terminal": "cron", + "op": "PAM:session_open", + "acct": "root" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + } + }, + "sequence": 184340, + "result": "success", + "session": "9858" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_start", + "action": "started-session" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "bNW9UmcBTFzn_XoLsUvf", + "source": { + "@timestamp": "2018-11-27T01:17:01.817Z", + "process": { + "pid": "25339", + "exe": "/usr/sbin/cron" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "result": "success", + "session": "9858", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:setcred" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184341 + }, + "event": { + "type": "cred_disp", + "action": "disposed-credentials", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "bdW9UmcBTFzn_XoLsUvf", + "source": { + "@timestamp": "2018-11-27T01:17:01.818Z", + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "25339" + }, + "auditd": { + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184342, + "result": "success", + "session": "9858", + "data": { + "acct": "root", + "op": "PAM:session_close", + "terminal": "cron" + } + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "a9W-UmcBTFzn_XoL5GZq", + "source": { + "@timestamp": "2018-11-27T01:18:20.287Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19602", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "209.59.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "209.59.65.109" + } + }, + "sequence": 142327, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "bNW-UmcBTFzn_XoL5GZq", + "source": { + "@timestamp": "2018-11-27T01:18:20.288Z", + "source": { + "ip": "209.59.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142328, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "209.59.65.109" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "19602", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "bdW-UmcBTFzn_XoL5GZq", + "source": { + "@timestamp": "2018-11-27T01:18:20.382Z", + "auditd": { + "sequence": 142329, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "209.59.65.109", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "209.59.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19602", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "209.59.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "h9W-UmcBTFzn_XoL6WZS", + "source": { + "@timestamp": "2018-11-27T01:18:21.543Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "source": { + "ip": "95.156.31.74" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "95.156.31.74" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142330, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19604", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "iNW-UmcBTFzn_XoL6WZS", + "source": { + "@timestamp": "2018-11-27T01:18:21.545Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "19604", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "95.156.31.74" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142331, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "95.156.31.74", + "type": "user-session", + "primary": "sshd" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "idW-UmcBTFzn_XoL6WZS", + "source": { + "@timestamp": "2018-11-27T01:18:21.689Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19604", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "95.156.31.74" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "95.156.31.74" + }, + "summary": { + "object": { + "secondary": "95.156.31.74", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 142332 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "39W_UmcBTFzn_XoLD2nn", + "source": { + "@timestamp": "2018-11-27T01:18:31.420Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32215", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186386, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "4NW_UmcBTFzn_XoLD2nn", + "source": { + "@timestamp": "2018-11-27T01:18:31.421Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32215", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186387, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "4dW_UmcBTFzn_XoLD2nn", + "source": { + "@timestamp": "2018-11-27T01:18:31.453Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32215" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "107.170.65.109" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186388, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "adW_UmcBTFzn_XoLeXOw", + "source": { + "@timestamp": "2018-11-27T01:18:58.502Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32217", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.148.18.163" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186389, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "46.148.18.163", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "atW_UmcBTFzn_XoLeXOw", + "source": { + "@timestamp": "2018-11-27T01:18:58.503Z", + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "secondary": "46.148.18.163", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 186390, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32217", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "a9W_UmcBTFzn_XoLeXOw", + "source": { + "@timestamp": "2018-11-27T01:18:58.645Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32217", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "46.148.18.163" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "46.148.18.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 186391, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ctW-UmcBTFzn_XoLJVU7", + "source": { + "@timestamp": "2018-11-27T01:17:31.345Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32207", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186383, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "c9W-UmcBTFzn_XoLJVU7", + "source": { + "@timestamp": "2018-11-27T01:17:31.346Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32207", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186384, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dNW-UmcBTFzn_XoLJVU7", + "source": { + "@timestamp": "2018-11-27T01:17:31.378Z", + "process": { + "pid": "32207", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186385, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "107.170.65.109", + "op": "PAM:bad_ident" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rdW9UmcBTFzn_XoLfkeK", + "source": { + "@timestamp": "2018-11-27T01:16:48.669Z", + "source": { + "ip": "115.146.127.132" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "115.146.127.132", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43152, + "result": "fail", + "session": "unset" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12639", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rtW9UmcBTFzn_XoLfkeK", + "source": { + "@timestamp": "2018-11-27T01:16:48.669Z", + "auditd": { + "summary": { + "object": { + "primary": "sshd", + "secondary": "115.146.127.132", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 43153, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12639", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "115.146.127.132" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "r9W9UmcBTFzn_XoLfkeK", + "source": { + "@timestamp": "2018-11-27T01:16:48.873Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43154, + "result": "fail", + "session": "unset", + "data": { + "hostname": "115.146.127.132", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "115.146.127.132" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12639", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "115.146.127.132" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "y9W9UmcBTFzn_XoLUUI6", + "source": { + "@timestamp": "2018-11-27T01:16:37.072Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32202" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186374, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "zNW9UmcBTFzn_XoLUUI6", + "source": { + "@timestamp": "2018-11-27T01:16:37.073Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32202" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186375, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "zdW9UmcBTFzn_XoLUUI6", + "source": { + "@timestamp": "2018-11-27T01:16:37.104Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186376, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "107.170.65.109", + "op": "PAM:bad_ident" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32202" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "btW9UmcBTFzn_XoLskuL", + "source": { + "@timestamp": "2018-11-27T01:17:01.885Z", + "auditd": { + "data": { + "op": "PAM:accounting", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 186377, + "result": "success", + "session": "unset" + }, + "event": { + "type": "user_acct", + "action": "was-authorized", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32204", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "b9W9UmcBTFzn_XoLskuL", + "source": { + "@timestamp": "2018-11-27T01:17:01.886Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "32204" + }, + "auditd": { + "result": "success", + "session": "unset", + "data": { + "op": "PAM:setcred", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 186378 + }, + "event": { + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cNW9UmcBTFzn_XoLskuL", + "source": { + "@timestamp": "2018-11-27T01:17:01.887Z", + "auditd": { + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "root" + } + }, + "sequence": 186380, + "result": "success", + "session": "3511", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:session_open" + } + }, + "event": { + "category": "user-login", + "type": "user_start", + "action": "started-session", + "module": "auditd" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0", + "auid": "0" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32204", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cdW9UmcBTFzn_XoLskuL", + "source": { + "@timestamp": "2018-11-27T01:17:01.890Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "cred_disp", + "action": "disposed-credentials", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32204", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 186381, + "result": "success", + "session": "3511", + "data": { + "op": "PAM:setcred", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ctW9UmcBTFzn_XoLskuL", + "source": { + "@timestamp": "2018-11-27T01:17:01.891Z", + "process": { + "pid": "32204", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "acct": "root", + "op": "PAM:session_close", + "terminal": "cron" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 186382, + "result": "success", + "session": "3511" + }, + "event": { + "type": "user_end", + "action": "ended-session", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0", + "uid": "0" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "c9W9UmcBTFzn_XoLskuR", + "source": { + "@timestamp": "2018-11-27T01:17:01.987Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "458" + }, + "auditd": { + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 192494, + "result": "success", + "session": "unset", + "data": { + "op": "PAM:accounting", + "acct": "root", + "terminal": "cron" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_acct", + "action": "was-authorized" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dNW9UmcBTFzn_XoLskuR", + "source": { + "@timestamp": "2018-11-27T01:17:01.988Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "458", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 192495, + "result": "success", + "session": "unset", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:setcred" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + } + } + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ddW9UmcBTFzn_XoLskuR", + "source": { + "@timestamp": "2018-11-27T01:17:01.989Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_start", + "action": "started-session", + "module": "auditd" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "458", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "9862", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:session_open" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "root" + } + }, + "sequence": 192497, + "result": "success" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dtW9UmcBTFzn_XoLskuR", + "source": { + "@timestamp": "2018-11-27T01:17:01.992Z", + "event": { + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials", + "module": "auditd" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0", + "auid": "0" + }, + "process": { + "pid": "458", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "9862", + "data": { + "acct": "root", + "op": "PAM:setcred", + "terminal": "cron" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 192498, + "result": "success" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "d9W9UmcBTFzn_XoLskuR", + "source": { + "@timestamp": "2018-11-27T01:17:01.993Z", + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0", + "uid": "0" + }, + "process": { + "pid": "458", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + } + }, + "sequence": 192499, + "result": "success", + "session": "9862", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:session_close" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "p9W_UmcBTFzn_XoLs3cF", + "source": { + "@timestamp": "2018-11-27T01:19:13.179Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "module": "file_integrity", + "action": [ + "created" + ] + }, + "file": { + "uid": 0, + "owner": "root", + "inode": "121", + "mtime": "2018-11-27T01:19:13.174Z", + "size": 20, + "type": "file", + "gid": 0, + "mode": "0000", + "path": "/etc/sed4Tvfpv", + "ctime": "2018-11-27T01:19:13.174Z", + "group": "root" + }, + "hash": { + "sha1": "c7f9a550b77ece79052aa1a630098b911883abde" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qNW_UmcBTFzn_XoLs3cF", + "source": { + "@timestamp": "2018-11-27T01:19:13.180Z", + "event": { + "module": "file_integrity", + "action": [ + "updated" + ] + }, + "file": { + "group": "root", + "inode": "121", + "gid": 0, + "type": "file", + "mtime": "2018-11-27T01:19:13.178Z", + "ctime": "2018-11-27T01:19:13.178Z", + "uid": 0, + "mode": "0000", + "owner": "root", + "path": "/etc/sed4Tvfpv", + "size": 51 + }, + "hash": { + "sha1": "4dac5cd40b12d209e8a87bf8089fadab9edfca00" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qdW_UmcBTFzn_XoLs3cF", + "source": { + "@timestamp": "2018-11-27T01:19:13.187Z", + "file": { + "path": "/etc/sed4Tvfpv" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "module": "file_integrity", + "action": [ + "attributes_modified" + ] + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qtW_UmcBTFzn_XoLs3cF", + "source": { + "@timestamp": "2018-11-27T01:19:13.188Z", + "event": { + "action": [ + "moved" + ], + "module": "file_integrity" + }, + "file": { + "path": "/etc/sed4Tvfpv" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "q9W_UmcBTFzn_XoLs3cF", + "source": { + "@timestamp": "2018-11-27T01:19:13.195Z", + "event": { + "module": "file_integrity", + "action": [ + "created" + ] + }, + "file": { + "type": "file", + "owner": "root", + "mtime": "2018-11-27T01:19:13.178Z", + "ctime": "2018-11-27T01:19:13.178Z", + "group": "root", + "path": "/etc/hosts", + "gid": 0, + "uid": 0, + "inode": "121", + "mode": "0644", + "size": 209 + }, + "hash": { + "sha1": "ac0139feba2533b2670370c22551547341fde295" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XNbJUmcBTFzn_XoL6leU", + "source": { + "@timestamp": "2018-11-27T01:30:22.705Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "25784", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "152.245.204.82" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "152.245.204.82", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 184359 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XdbJUmcBTFzn_XoL6leU", + "source": { + "@timestamp": "2018-11-27T01:30:22.707Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "25784", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "152.245.204.82" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "152.245.204.82", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184360, + "result": "fail" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XtbJUmcBTFzn_XoL6leU", + "source": { + "@timestamp": "2018-11-27T01:30:22.717Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25783" + }, + "source": { + "ip": "152.245.204.82" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184361, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "152.245.204.82", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "X9bJUmcBTFzn_XoL6leU", + "source": { + "@timestamp": "2018-11-27T01:30:22.719Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "sequence": 184362, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "152.245.204.82" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "25783", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "152.245.204.82" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YNbJUmcBTFzn_XoL6leU", + "source": { + "@timestamp": "2018-11-27T01:30:22.897Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "25784", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "152.245.204.82" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "152.245.204.82", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "152.245.204.82", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184363, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YdbJUmcBTFzn_XoL6leU", + "source": { + "@timestamp": "2018-11-27T01:30:22.918Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "152.245.204.82" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "152.245.204.82" + } + }, + "sequence": 184364 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25783" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "152.245.204.82" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "DNbKUmcBTFzn_XoLGlxF", + "source": { + "@timestamp": "2018-11-27T01:30:34.971Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32299", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186434 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "DdbKUmcBTFzn_XoLGlxF", + "source": { + "@timestamp": "2018-11-27T01:30:34.972Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32299" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186435, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "DtbKUmcBTFzn_XoLGlxF", + "source": { + "@timestamp": "2018-11-27T01:30:35.002Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32299", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186436, + "result": "fail", + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "107.170.65.109" + } + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "r9bJUmcBTFzn_XoLAkOP", + "source": { + "@timestamp": "2018-11-27T01:29:23.365Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32290", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186431, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sNbJUmcBTFzn_XoLAkOP", + "source": { + "@timestamp": "2018-11-27T01:29:23.366Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32290" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186432 + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sdbJUmcBTFzn_XoLAkOP", + "source": { + "@timestamp": "2018-11-27T01:29:23.397Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186433, + "result": "fail", + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32290" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KtbLUmcBTFzn_XoLIXLc", + "source": { + "@timestamp": "2018-11-27T01:31:42.449Z", + "auditd": { + "sequence": 186437, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32307", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "K9bLUmcBTFzn_XoLIXLc", + "source": { + "@timestamp": "2018-11-27T01:31:42.450Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32307" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 186438, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "LNbLUmcBTFzn_XoLIXLc", + "source": { + "@timestamp": "2018-11-27T01:31:42.481Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32307" + }, + "source": { + "ip": "107.170.65.109" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186439, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "107.170.65.109" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "udbLUmcBTFzn_XoLfHlZ", + "source": { + "@timestamp": "2018-11-27T01:32:05.615Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "173.167.200.227", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192532, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "562" + }, + "source": { + "ip": "173.167.200.227" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "utbLUmcBTFzn_XoLfHlZ", + "source": { + "@timestamp": "2018-11-27T01:32:05.616Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "562" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "173.167.200.227" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192533, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "173.167.200.227" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "u9bLUmcBTFzn_XoLfHlZ", + "source": { + "@timestamp": "2018-11-27T01:32:05.661Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "562", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "173.167.200.227" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "173.167.200.227", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "173.167.200.227", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192534, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KtbJUmcBTFzn_XoLK0dG", + "source": { + "@timestamp": "2018-11-27T01:29:33.789Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "548", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "138.68.50.250" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "138.68.50.250", + "type": "user-session" + } + }, + "sequence": 192529, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "K9bJUmcBTFzn_XoLK0dG", + "source": { + "@timestamp": "2018-11-27T01:29:33.789Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "548" + }, + "source": { + "ip": "138.68.50.250" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192530, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "138.68.50.250" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "LNbJUmcBTFzn_XoLK0dG", + "source": { + "@timestamp": "2018-11-27T01:29:33.830Z", + "auditd": { + "sequence": 192531, + "result": "fail", + "session": "unset", + "data": { + "hostname": "138.68.50.250", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "138.68.50.250", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "548", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "138.68.50.250" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZtbKUmcBTFzn_XoLRF8K", + "source": { + "@timestamp": "2018-11-27T01:30:45.664Z", + "process": { + "pid": "29595", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "138.68.249.156" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44189, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "138.68.249.156", + "type": "user-session", + "primary": "sshd" + } + } + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Z9bKUmcBTFzn_XoLRF8K", + "source": { + "@timestamp": "2018-11-27T01:30:45.664Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "29595" + }, + "source": { + "ip": "138.68.249.156" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "138.68.249.156", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44190 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "aNbKUmcBTFzn_XoLRF8K", + "source": { + "@timestamp": "2018-11-27T01:30:45.708Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "29595", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "138.68.249.156" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44191, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "138.68.249.156" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "138.68.249.156", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gNbKUmcBTFzn_XoL3Gzp", + "source": { + "@timestamp": "2018-11-27T01:31:24.795Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "200.160.115.234", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 44192, + "result": "fail" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "29609", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "200.160.115.234" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gdbKUmcBTFzn_XoL3Gzp", + "source": { + "@timestamp": "2018-11-27T01:31:24.795Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "200.160.115.234", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 44193 + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "29609", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "200.160.115.234" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gtbKUmcBTFzn_XoL3Gzp", + "source": { + "@timestamp": "2018-11-27T01:31:24.971Z", + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "sequence": 44194, + "result": "fail", + "session": "unset", + "data": { + "hostname": "200.160.115.234", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "200.160.115.234", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "29609", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "200.160.115.234" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CNbKUmcBTFzn_XoLLl55", + "source": { + "@timestamp": "2018-11-27T01:30:40.139Z", + "process": { + "pid": "29592", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "164.132.197.108" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44188, + "result": "fail", + "session": "unset", + "data": { + "hostname": "164.132.197.108", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "164.132.197.108", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YdbNUmcBTFzn_XoLn6nH", + "source": { + "@timestamp": "2018-11-27T01:34:25.758Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 186449, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32327", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YtbNUmcBTFzn_XoLn6nH", + "source": { + "@timestamp": "2018-11-27T01:34:25.759Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32327", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186450 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Y9bNUmcBTFzn_XoLn6nH", + "source": { + "@timestamp": "2018-11-27T01:34:25.789Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32327", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "107.170.65.109" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186451 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "adbNUmcBTFzn_XoLo6mE", + "source": { + "@timestamp": "2018-11-27T01:34:26.614Z", + "process": { + "pid": "12750", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "101.89.114.94" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43176, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "101.89.114.94", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "atbNUmcBTFzn_XoLo6mE", + "source": { + "@timestamp": "2018-11-27T01:34:26.614Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12750", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "101.89.114.94" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43177, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "101.89.114.94", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "a9bNUmcBTFzn_XoLo6mE", + "source": { + "@timestamp": "2018-11-27T01:34:26.814Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "12750", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "101.89.114.94" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "101.89.114.94", + "type": "user-session" + } + }, + "sequence": 43178, + "result": "fail", + "session": "unset", + "data": { + "hostname": "101.89.114.94", + "op": "PAM:bad_ident", + "terminal": "ssh" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2tbPUmcBTFzn_XoLbtDN", + "source": { + "@timestamp": "2018-11-27T01:36:24.291Z", + "process": { + "pid": "32340", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186458, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "29bPUmcBTFzn_XoLbtDN", + "source": { + "@timestamp": "2018-11-27T01:36:24.292Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186459, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + } + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32340", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3NbPUmcBTFzn_XoLbtDN", + "source": { + "@timestamp": "2018-11-27T01:36:24.322Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "process": { + "pid": "32340", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186460, + "result": "fail", + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "EtbOUmcBTFzn_XoLf7xx", + "source": { + "@timestamp": "2018-11-27T01:35:22.989Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186455, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32333" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "E9bOUmcBTFzn_XoLf7xx", + "source": { + "@timestamp": "2018-11-27T01:35:22.990Z", + "process": { + "pid": "32333", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186456, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FNbOUmcBTFzn_XoLf7xx", + "source": { + "@timestamp": "2018-11-27T01:35:23.020Z", + "process": { + "pid": "32333", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186457, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "107.170.65.109", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6tbMUmcBTFzn_XoLzZY6", + "source": { + "@timestamp": "2018-11-27T01:33:31.856Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32317", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186443, + "result": "fail", + "session": "unset" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "69bMUmcBTFzn_XoLzZY6", + "source": { + "@timestamp": "2018-11-27T01:33:31.857Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32317", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + }, + "sequence": 186444, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7NbMUmcBTFzn_XoLzZY6", + "source": { + "@timestamp": "2018-11-27T01:33:31.887Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32317", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + } + }, + "sequence": 186445, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "EdbMUmcBTFzn_XoLAYZs", + "source": { + "@timestamp": "2018-11-27T01:32:39.681Z", + "auditd": { + "sequence": 186440, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32315", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "EtbMUmcBTFzn_XoLAYZs", + "source": { + "@timestamp": "2018-11-27T01:32:39.682Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32315", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186441, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "E9bMUmcBTFzn_XoLAYZs", + "source": { + "@timestamp": "2018-11-27T01:32:39.713Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32315", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "107.170.65.109", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186442 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6dbOUmcBTFzn_XoLD7I4", + "source": { + "@timestamp": "2018-11-27T01:34:54.285Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32330", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.33.228.67" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "sequence": 186452, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "178.33.228.67" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6tbOUmcBTFzn_XoLD7I4", + "source": { + "@timestamp": "2018-11-27T01:34:54.286Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32330", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "178.33.228.67" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "178.33.228.67", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186453, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "69bOUmcBTFzn_XoLD7I4", + "source": { + "@timestamp": "2018-11-27T01:34:54.394Z", + "process": { + "pid": "32330", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "178.33.228.67" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186454, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "178.33.228.67", + "terminal": "ssh" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "178.33.228.67", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-tbOUmcBTFzn_XoL_cbV", + "source": { + "@timestamp": "2018-11-27T01:35:55.371Z", + "source": { + "ip": "85.113.39.134" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "85.113.39.134", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192535, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "583" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-9bOUmcBTFzn_XoL_cbV", + "source": { + "@timestamp": "2018-11-27T01:35:55.372Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "583" + }, + "source": { + "ip": "85.113.39.134" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "sequence": 192536, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "85.113.39.134" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_NbOUmcBTFzn_XoL_cbV", + "source": { + "@timestamp": "2018-11-27T01:35:55.530Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192537, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "85.113.39.134", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "85.113.39.134" + } + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "583", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "85.113.39.134" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xdbMUmcBTFzn_XoLx5bh", + "source": { + "@timestamp": "2018-11-27T01:33:30.481Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12742", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "131.72.141.34" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "131.72.141.34" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43173, + "result": "fail" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xtbMUmcBTFzn_XoLx5bh", + "source": { + "@timestamp": "2018-11-27T01:33:30.485Z", + "process": { + "pid": "12742", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "131.72.141.34" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43174, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "131.72.141.34", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "x9bMUmcBTFzn_XoLx5bh", + "source": { + "@timestamp": "2018-11-27T01:33:30.637Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "131.72.141.34", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "131.72.141.34", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43175, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12742", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "131.72.141.34" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WtbNUmcBTFzn_XoLcqUk", + "source": { + "@timestamp": "2018-11-27T01:34:14.073Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32325", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.38.33.178" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "51.38.33.178", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186446, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "W9bNUmcBTFzn_XoLcqUk", + "source": { + "@timestamp": "2018-11-27T01:34:14.075Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32325" + }, + "source": { + "ip": "51.38.33.178" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "51.38.33.178", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + }, + "sequence": 186447 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XNbNUmcBTFzn_XoLcqUk", + "source": { + "@timestamp": "2018-11-27T01:34:14.182Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32325" + }, + "source": { + "ip": "51.38.33.178" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "51.38.33.178", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186448, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "51.38.33.178" + } + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "W9bQUmcBTFzn_XoLRuMO", + "source": { + "@timestamp": "2018-11-27T01:37:19.393Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12766", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "117.172.59.127" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "117.172.59.127" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 43182 + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XNbQUmcBTFzn_XoLRuMO", + "source": { + "@timestamp": "2018-11-27T01:37:19.393Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12766" + }, + "source": { + "ip": "117.172.59.127" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "117.172.59.127", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43183, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XdbQUmcBTFzn_XoLRuMO", + "source": { + "@timestamp": "2018-11-27T01:37:19.649Z", + "process": { + "pid": "12766", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "117.172.59.127" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "117.172.59.127" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "117.172.59.127" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43184, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "otbQUmcBTFzn_XoLVOSA", + "source": { + "@timestamp": "2018-11-27T01:37:23.093Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12773", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "193.70.85.206" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43185, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "193.70.85.206" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "193.70.85.206", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BtbQUmcBTFzn_XoLaudn", + "source": { + "@timestamp": "2018-11-27T01:37:28.701Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32348" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186461, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "B9bQUmcBTFzn_XoLaudn", + "source": { + "@timestamp": "2018-11-27T01:37:28.702Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 186462, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32348" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CNbQUmcBTFzn_XoLaudn", + "source": { + "@timestamp": "2018-11-27T01:37:28.734Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32348" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.65.109", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186463, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "E9bRUmcBTFzn_XoLKPdd", + "source": { + "@timestamp": "2018-11-27T01:38:17.330Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19716" + }, + "source": { + "ip": "93.157.241.40" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "93.157.241.40", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142343, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FNbRUmcBTFzn_XoLKPdd", + "source": { + "@timestamp": "2018-11-27T01:38:17.331Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "19716", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "93.157.241.40" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "93.157.241.40", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142344, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FdbRUmcBTFzn_XoLKPdd", + "source": { + "@timestamp": "2018-11-27T01:38:17.539Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "19716", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "93.157.241.40" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "93.157.241.40", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "93.157.241.40", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142345, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qNbPUmcBTFzn_XoL8dwD", + "source": { + "@timestamp": "2018-11-27T01:36:57.625Z", + "process": { + "pid": "25824", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "94.23.0.13" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "94.23.0.13", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184365, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qdbPUmcBTFzn_XoL8dwD", + "source": { + "@timestamp": "2018-11-27T01:36:57.626Z", + "source": { + "ip": "94.23.0.13" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "94.23.0.13" + } + }, + "sequence": 184366, + "result": "fail" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "25824", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qtbPUmcBTFzn_XoL8dwD", + "source": { + "@timestamp": "2018-11-27T01:36:57.733Z", + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25824" + }, + "source": { + "ip": "94.23.0.13" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184367, + "result": "fail", + "session": "unset", + "data": { + "hostname": "94.23.0.13", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "94.23.0.13", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "T9bQUmcBTFzn_XoLQeNm", + "source": { + "@timestamp": "2018-11-27T01:37:18.204Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "159.203.185.59", + "type": "user-session" + } + }, + "sequence": 192544 + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "595", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "159.203.185.59" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "UNbQUmcBTFzn_XoLQeNm", + "source": { + "@timestamp": "2018-11-27T01:37:18.205Z", + "process": { + "pid": "595", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "159.203.185.59" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192545, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "159.203.185.59" + } + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "UdbQUmcBTFzn_XoLQeNm", + "source": { + "@timestamp": "2018-11-27T01:37:18.237Z", + "auditd": { + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "159.203.185.59", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192546, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "159.203.185.59" + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "595", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "159.203.185.59" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "RdbQUmcBTFzn_XoLGOA5", + "source": { + "@timestamp": "2018-11-27T01:37:07.663Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "593", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "82.242.169.217" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "82.242.169.217", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192541, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "RtbQUmcBTFzn_XoLGOA5", + "source": { + "@timestamp": "2018-11-27T01:37:07.664Z", + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "82.242.169.217", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192542, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "593", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "82.242.169.217" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "R9bQUmcBTFzn_XoLGOA5", + "source": { + "@timestamp": "2018-11-27T01:37:08.073Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "593", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "82.242.169.217" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192543, + "result": "fail", + "session": "unset", + "data": { + "hostname": "82.242.169.217", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "82.242.169.217", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FtbPUmcBTFzn_XoL29qM", + "source": { + "@timestamp": "2018-11-27T01:36:52.130Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "91.230.8.194", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + }, + "sequence": 192538 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "591" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "91.230.8.194" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "F9bPUmcBTFzn_XoL29qM", + "source": { + "@timestamp": "2018-11-27T01:36:52.131Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "591", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.230.8.194" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "91.230.8.194", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192539 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GNbPUmcBTFzn_XoL29qM", + "source": { + "@timestamp": "2018-11-27T01:36:52.258Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "91.230.8.194", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "91.230.8.194", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192540 + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "591", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.230.8.194" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "vtbQUmcBTFzn_XoLKeAA", + "source": { + "@timestamp": "2018-11-27T01:37:11.956Z", + "source": { + "ip": "51.254.201.64" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "51.254.201.64" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + }, + "sequence": 43179, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "12764", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "v9bQUmcBTFzn_XoLKeAA", + "source": { + "@timestamp": "2018-11-27T01:37:11.956Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "12764", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.254.201.64" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "51.254.201.64", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43180, + "result": "fail" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "wNbQUmcBTFzn_XoLKeAA", + "source": { + "@timestamp": "2018-11-27T01:37:12.064Z", + "process": { + "pid": "12764", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.254.201.64" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43181, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "51.254.201.64", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "51.254.201.64" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ltbQUmcBTFzn_XoL3fAn", + "source": { + "@timestamp": "2018-11-27T01:37:58.076Z", + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "46.17.40.237", + "type": "user-session" + } + }, + "sequence": 142342, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "46.17.40.237" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "process": { + "pid": "19713", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.17.40.237" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VtfUUmcBTFzn_XoLxEaR", + "source": { + "@timestamp": "2018-11-27T01:42:13.909Z", + "source": { + "ip": "147.75.96.90" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "147.75.96.90", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44195, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "29821", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "V9fUUmcBTFzn_XoLxEaR", + "source": { + "@timestamp": "2018-11-27T01:42:13.913Z", + "source": { + "ip": "147.75.96.90" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44196, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "147.75.96.90", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "29821" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WNfUUmcBTFzn_XoLxEaR", + "source": { + "@timestamp": "2018-11-27T01:42:13.945Z", + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "29821" + }, + "source": { + "ip": "147.75.96.90" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44197, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "147.75.96.90", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "147.75.96.90" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "wtfUUmcBTFzn_XoLzEYU", + "source": { + "@timestamp": "2018-11-27T01:42:15.845Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "29824", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "144.217.4.14" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44198, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "144.217.4.14", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "w9fUUmcBTFzn_XoLzEYU", + "source": { + "@timestamp": "2018-11-27T01:42:15.845Z", + "process": { + "pid": "29824", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "144.217.4.14" + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44199, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "144.217.4.14", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xNfUUmcBTFzn_XoLzEYU", + "source": { + "@timestamp": "2018-11-27T01:42:15.889Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "29824", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "144.217.4.14" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44200, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "144.217.4.14" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "144.217.4.14", + "type": "user-session" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0NfUUmcBTFzn_XoL0Ubg", + "source": { + "@timestamp": "2018-11-27T01:42:17.334Z", + "process": { + "pid": "19742", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "192.252.209.190" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "secondary": "192.252.209.190", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 142355 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0dfUUmcBTFzn_XoL0Ubg", + "source": { + "@timestamp": "2018-11-27T01:42:17.335Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "192.252.209.190", + "type": "user-session" + } + }, + "sequence": 142356, + "result": "fail" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19742", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "192.252.209.190" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0tfUUmcBTFzn_XoL0Ubg", + "source": { + "@timestamp": "2018-11-27T01:42:17.366Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19742", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "192.252.209.190" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142357, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "192.252.209.190" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "192.252.209.190", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "tNfUUmcBTFzn_XoLIDfE", + "source": { + "@timestamp": "2018-11-27T01:41:31.994Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19739", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "82.196.12.151" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "82.196.12.151", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142352, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "tdfUUmcBTFzn_XoLIDfE", + "source": { + "@timestamp": "2018-11-27T01:41:31.995Z", + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "82.196.12.151", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142353, + "result": "fail" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19739", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "82.196.12.151" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ttfUUmcBTFzn_XoLIDfE", + "source": { + "@timestamp": "2018-11-27T01:41:32.100Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "19739", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "82.196.12.151" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142354, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "82.196.12.151" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "82.196.12.151", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_dfVUmcBTFzn_XoLRFCU", + "source": { + "@timestamp": "2018-11-27T01:42:46.698Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "secondary": "202.28.34.200", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 184380 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "25911", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "202.28.34.200" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_tfVUmcBTFzn_XoLRFCU", + "source": { + "@timestamp": "2018-11-27T01:42:46.700Z", + "auditd": { + "sequence": 184381, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "202.28.34.200", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25911" + }, + "source": { + "ip": "202.28.34.200" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_9fVUmcBTFzn_XoLRFCU", + "source": { + "@timestamp": "2018-11-27T01:42:46.932Z", + "source": { + "ip": "202.28.34.200" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "202.28.34.200" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "202.28.34.200", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184382, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "25911", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ANfUUmcBTFzn_XoL5ElJ", + "source": { + "@timestamp": "2018-11-27T01:42:22.047Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25908" + }, + "source": { + "ip": "104.234.223.14" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "104.234.223.14", + "type": "user-session" + } + }, + "sequence": 184377, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "AdfUUmcBTFzn_XoL5ElJ", + "source": { + "@timestamp": "2018-11-27T01:42:22.048Z", + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "104.234.223.14", + "type": "user-session" + } + }, + "sequence": 184378, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "25908", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.234.223.14" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "AtfUUmcBTFzn_XoL5ElJ", + "source": { + "@timestamp": "2018-11-27T01:42:22.097Z", + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "25908", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.234.223.14" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184379, + "result": "fail", + "session": "unset", + "data": { + "hostname": "104.234.223.14", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "104.234.223.14", + "type": "user-session" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "79fUUmcBTFzn_XoLuUSW", + "source": { + "@timestamp": "2018-11-27T01:42:11.115Z", + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186479, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32381", + "exe": "/usr/sbin/sshd" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8NfUUmcBTFzn_XoLuUSW", + "source": { + "@timestamp": "2018-11-27T01:42:11.116Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32381", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186480, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8dfUUmcBTFzn_XoLuUSW", + "source": { + "@timestamp": "2018-11-27T01:42:11.146Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32381", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "107.170.65.109" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186481, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ntfUUmcBTFzn_XoLPzou", + "source": { + "@timestamp": "2018-11-27T01:41:39.780Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "25901", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.91.116.197" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "185.91.116.197", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184374, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "n9fUUmcBTFzn_XoLPzou", + "source": { + "@timestamp": "2018-11-27T01:41:39.781Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "25901", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.91.116.197" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "185.91.116.197", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184375, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "oNfUUmcBTFzn_XoLPzou", + "source": { + "@timestamp": "2018-11-27T01:41:39.902Z", + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25901" + }, + "source": { + "ip": "185.91.116.197" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "185.91.116.197", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "185.91.116.197", + "type": "user-session", + "primary": "ssh" + } + }, + "sequence": 184376, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TdfUUmcBTFzn_XoLaj6n", + "source": { + "@timestamp": "2018-11-27T01:41:50.908Z", + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32377" + }, + "source": { + "ip": "37.187.113.229" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186476, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "37.187.113.229", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TtfUUmcBTFzn_XoLaj6n", + "source": { + "@timestamp": "2018-11-27T01:41:50.909Z", + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "sequence": 186477, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "37.187.113.229", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32377" + }, + "source": { + "ip": "37.187.113.229" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "T9fUUmcBTFzn_XoLaj6n", + "source": { + "@timestamp": "2018-11-27T01:41:51.016Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32377", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.187.113.229" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "37.187.113.229" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "37.187.113.229" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186478, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gdfVUmcBTFzn_XoLildy", + "source": { + "@timestamp": "2018-11-27T01:43:04.584Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "92.222.47.243", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184383, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "25918", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "92.222.47.243" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gtfVUmcBTFzn_XoLildy", + "source": { + "@timestamp": "2018-11-27T01:43:04.585Z", + "source": { + "ip": "92.222.47.243" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "92.222.47.243", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 184384, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "25918", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "g9fVUmcBTFzn_XoLildy", + "source": { + "@timestamp": "2018-11-27T01:43:04.690Z", + "source": { + "ip": "92.222.47.243" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "92.222.47.243", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "92.222.47.243", + "type": "user-session" + } + }, + "sequence": 184385, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25918" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7tfUUmcBTFzn_XoL-0sw", + "source": { + "@timestamp": "2018-11-27T01:42:27.906Z", + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "185.21.16.108", + "type": "user-session" + } + }, + "sequence": 44201, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "29828", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.21.16.108" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "79fUUmcBTFzn_XoL-0sw", + "source": { + "@timestamp": "2018-11-27T01:42:27.906Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "process": { + "pid": "29828", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.21.16.108" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "185.21.16.108", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44202, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8NfUUmcBTFzn_XoL-0sw", + "source": { + "@timestamp": "2018-11-27T01:42:28.038Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "29828", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.21.16.108" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "185.21.16.108", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "185.21.16.108" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44203, + "result": "fail" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NNfcUmcBTFzn_XoLuPTT", + "source": { + "@timestamp": "2018-11-27T01:50:55.209Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32438" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186506, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NdfcUmcBTFzn_XoLuPTT", + "source": { + "@timestamp": "2018-11-27T01:50:55.210Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186507, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32438" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NtfcUmcBTFzn_XoLuPTT", + "source": { + "@timestamp": "2018-11-27T01:50:55.240Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32438", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186508, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "OtfcUmcBTFzn_XoLu_Sp", + "source": { + "@timestamp": "2018-11-27T01:50:55.885Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "178.80.6.244", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142382, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19808", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.80.6.244" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "O9fcUmcBTFzn_XoLu_Sp", + "source": { + "@timestamp": "2018-11-27T01:50:55.886Z", + "source": { + "ip": "178.80.6.244" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "178.80.6.244" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 142383, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19808", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "PNfcUmcBTFzn_XoLu_Sp", + "source": { + "@timestamp": "2018-11-27T01:50:56.100Z", + "auditd": { + "data": { + "hostname": "178.80.6.244", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "178.80.6.244" + } + }, + "sequence": 142384, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19808", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.80.6.244" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ttfaUmcBTFzn_XoL780P", + "source": { + "@timestamp": "2018-11-27T01:48:58.021Z", + "source": { + "ip": "104.236.181.158" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "104.236.181.158" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142376, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + } + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19793", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "t9faUmcBTFzn_XoL780P", + "source": { + "@timestamp": "2018-11-27T01:48:58.022Z", + "source": { + "ip": "104.236.181.158" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "104.236.181.158", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 142377, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "process": { + "pid": "19793", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "uNfaUmcBTFzn_XoL780P", + "source": { + "@timestamp": "2018-11-27T01:48:58.064Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "104.236.181.158" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "104.236.181.158" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142378, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19793", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.236.181.158" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "tNfbUmcBTFzn_XoLTdQu", + "source": { + "@timestamp": "2018-11-27T01:49:22.116Z", + "process": { + "pid": "19795", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "153.142.75.192" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "object": { + "secondary": "153.142.75.192", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 142379 + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "tdfbUmcBTFzn_XoLTdQu", + "source": { + "@timestamp": "2018-11-27T01:49:22.117Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19795", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "153.142.75.192" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142380, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "153.142.75.192", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ttfbUmcBTFzn_XoLTdQu", + "source": { + "@timestamp": "2018-11-27T01:49:22.274Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19795", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "153.142.75.192" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "153.142.75.192" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "153.142.75.192", + "type": "user-session" + } + }, + "sequence": 142381, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GtfaUmcBTFzn_XoLLr2X", + "source": { + "@timestamp": "2018-11-27T01:48:08.749Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19785", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "190.0.10.138" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "190.0.10.138" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 142373, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "G9faUmcBTFzn_XoLLr2X", + "source": { + "@timestamp": "2018-11-27T01:48:08.750Z", + "source": { + "ip": "190.0.10.138" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "190.0.10.138", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 142374 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01" + }, + "process": { + "pid": "19785", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HNfaUmcBTFzn_XoLLr2X", + "source": { + "@timestamp": "2018-11-27T01:48:08.857Z", + "source": { + "ip": "190.0.10.138" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142375, + "result": "fail", + "session": "unset", + "data": { + "hostname": "190.0.10.138", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "190.0.10.138" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19785", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "J9faUmcBTFzn_XoLbcKr", + "source": { + "@timestamp": "2018-11-27T01:48:24.897Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32420" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186500, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KNfaUmcBTFzn_XoLbcKr", + "source": { + "@timestamp": "2018-11-27T01:48:24.899Z", + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186501, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32420" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KdfaUmcBTFzn_XoLbcKr", + "source": { + "@timestamp": "2018-11-27T01:48:24.929Z", + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 186502, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32420", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ItfZUmcBTFzn_XoLRqn8", + "source": { + "@timestamp": "2018-11-27T01:47:09.456Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32412" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186497, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "I9fZUmcBTFzn_XoLRqn8", + "source": { + "@timestamp": "2018-11-27T01:47:09.457Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32412", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186498, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JNfZUmcBTFzn_XoLRqn8", + "source": { + "@timestamp": "2018-11-27T01:47:09.491Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32412", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "107.170.65.109" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186499, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KtfbUmcBTFzn_XoLltt6", + "source": { + "@timestamp": "2018-11-27T01:49:40.879Z", + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186503, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32428", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "K9fbUmcBTFzn_XoLltt6", + "source": { + "@timestamp": "2018-11-27T01:49:40.881Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32428" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186504 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "LNfbUmcBTFzn_XoLltt6", + "source": { + "@timestamp": "2018-11-27T01:49:40.911Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186505, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "107.170.65.109" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32428" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "zNfZUmcBTFzn_XoL6LbT", + "source": { + "@timestamp": "2018-11-27T01:47:50.888Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "19783", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "176.31.75.53" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142370, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "176.31.75.53" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "zdfZUmcBTFzn_XoL6LbT", + "source": { + "@timestamp": "2018-11-27T01:47:50.889Z", + "source": { + "ip": "176.31.75.53" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142371, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "176.31.75.53", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19783", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ztfZUmcBTFzn_XoL6LbT", + "source": { + "@timestamp": "2018-11-27T01:47:50.996Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "176.31.75.53" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "176.31.75.53", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142372, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "19783", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "176.31.75.53" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6dfcUmcBTFzn_XoLVuuz", + "source": { + "@timestamp": "2018-11-27T01:50:30.087Z", + "source": { + "ip": "178.33.45.156" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44204, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "178.33.45.156", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "29987" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6tfcUmcBTFzn_XoLVuuz", + "source": { + "@timestamp": "2018-11-27T01:50:30.087Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "29987", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.33.45.156" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "178.33.45.156", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44205, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + } + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "69fcUmcBTFzn_XoLVuuz", + "source": { + "@timestamp": "2018-11-27T01:50:30.195Z", + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "29987", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.33.45.156" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44206, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "178.33.45.156" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "178.33.45.156", + "type": "user-session" + } + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "i9jhUmcBTFzn_XoLAlEZ", + "source": { + "@timestamp": "2018-11-27T01:55:36.110Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "26002" + }, + "source": { + "ip": "178.48.181.9" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "secondary": "178.48.181.9", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 184395 + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "jNjhUmcBTFzn_XoLAlEZ", + "source": { + "@timestamp": "2018-11-27T01:55:36.111Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "26002" + }, + "source": { + "ip": "178.48.181.9" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184396, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "178.48.181.9", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "jdjhUmcBTFzn_XoLAlEZ", + "source": { + "@timestamp": "2018-11-27T01:55:36.272Z", + "source": { + "ip": "178.48.181.9" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184397, + "result": "fail", + "session": "unset", + "data": { + "hostname": "178.48.181.9", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "178.48.181.9" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "26002" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HNjhUmcBTFzn_XoLBFLi", + "source": { + "@timestamp": "2018-11-27T01:55:36.824Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186518, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32466", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HdjhUmcBTFzn_XoLBFLi", + "source": { + "@timestamp": "2018-11-27T01:55:36.825Z", + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32466", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186519, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HtjhUmcBTFzn_XoLBFLi", + "source": { + "@timestamp": "2018-11-27T01:55:36.858Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186520, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.65.109", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32466", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "X9jhUmcBTFzn_XoLml-F", + "source": { + "@timestamp": "2018-11-27T01:56:15.131Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "83.99.24.14", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186524, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32470", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "83.99.24.14" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YNjhUmcBTFzn_XoLml-F", + "source": { + "@timestamp": "2018-11-27T01:56:15.132Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32470" + }, + "source": { + "ip": "83.99.24.14" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "83.99.24.14", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186525, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YdjhUmcBTFzn_XoLml-F", + "source": { + "@timestamp": "2018-11-27T01:56:15.245Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32470", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "83.99.24.14" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "83.99.24.14", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186526, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "83.99.24.14" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YtjhUmcBTFzn_XoLml-F", + "source": { + "@timestamp": "2018-11-27T01:56:15.822Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "51.38.68.237" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186527, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32472", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.38.68.237" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Y9jhUmcBTFzn_XoLml-F", + "source": { + "@timestamp": "2018-11-27T01:56:15.823Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32472", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "51.38.68.237" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186528, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "51.38.68.237" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZNjhUmcBTFzn_XoLml-F", + "source": { + "@timestamp": "2018-11-27T01:56:15.930Z", + "auditd": { + "sequence": 186529, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "51.38.68.237" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "51.38.68.237" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32472" + }, + "source": { + "ip": "51.38.68.237" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "jNjgUmcBTFzn_XoL304M", + "source": { + "@timestamp": "2018-11-27T01:55:27.134Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "30088", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.121.142.225" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "91.121.142.225", + "type": "user-session" + } + }, + "sequence": 44210, + "result": "fail" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "jdjgUmcBTFzn_XoL304M", + "source": { + "@timestamp": "2018-11-27T01:55:27.134Z", + "process": { + "pid": "30088", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "91.121.142.225" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "91.121.142.225" + } + }, + "sequence": 44211 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "jtjgUmcBTFzn_XoL304M", + "source": { + "@timestamp": "2018-11-27T01:55:27.238Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "30088", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.121.142.225" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "91.121.142.225" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "91.121.142.225" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44212, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "j9jgUmcBTFzn_XoL304M", + "source": { + "@timestamp": "2018-11-27T01:55:27.846Z", + "source": { + "ip": "104.234.223.14" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44213, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "104.234.223.14", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "30090", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "kNjgUmcBTFzn_XoL304M", + "source": { + "@timestamp": "2018-11-27T01:55:27.850Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "104.234.223.14", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44214 + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30090" + }, + "source": { + "ip": "104.234.223.14" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "kdjgUmcBTFzn_XoL304M", + "source": { + "@timestamp": "2018-11-27T01:55:27.898Z", + "process": { + "pid": "30090", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.234.223.14" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44215, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "104.234.223.14", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "104.234.223.14", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "vNjfUmcBTFzn_XoL8jpi", + "source": { + "@timestamp": "2018-11-27T01:54:26.552Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32457", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186515, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "vdjfUmcBTFzn_XoL8jpi", + "source": { + "@timestamp": "2018-11-27T01:54:26.553Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32457" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186516, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "vtjfUmcBTFzn_XoL8jpi", + "source": { + "@timestamp": "2018-11-27T01:54:26.584Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.65.109", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186517, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32457", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "59jgUmcBTFzn_XoLk0ht", + "source": { + "@timestamp": "2018-11-27T01:55:07.779Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "65.127.203.242", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142395, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19840", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "65.127.203.242" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6NjgUmcBTFzn_XoLk0ht", + "source": { + "@timestamp": "2018-11-27T01:55:07.780Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19840", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "65.127.203.242" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "sshd", + "secondary": "65.127.203.242", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 142396, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6djgUmcBTFzn_XoLk0ht", + "source": { + "@timestamp": "2018-11-27T01:55:07.840Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19840", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "65.127.203.242" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "secondary": "65.127.203.242", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 142397, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "65.127.203.242", + "terminal": "ssh" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "P9jhUmcBTFzn_XoLbFvp", + "source": { + "@timestamp": "2018-11-27T01:56:03.454Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "164.132.197.108", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186521 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32468", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "164.132.197.108" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QNjhUmcBTFzn_XoLbFvp", + "source": { + "@timestamp": "2018-11-27T01:56:03.455Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32468", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "164.132.197.108" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "164.132.197.108" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186522, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QdjhUmcBTFzn_XoLbFvp", + "source": { + "@timestamp": "2018-11-27T01:56:03.574Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "data": { + "hostname": "164.132.197.108", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "164.132.197.108", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186523, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32468", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "164.132.197.108" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "kNjgUmcBTFzn_XoLv0zp", + "source": { + "@timestamp": "2018-11-27T01:55:19.167Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "752", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "36.84.80.31" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "36.84.80.31", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192556, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "kdjgUmcBTFzn_XoLv0zp", + "source": { + "@timestamp": "2018-11-27T01:55:19.168Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192557, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "36.84.80.31", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "752", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "36.84.80.31" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ktjgUmcBTFzn_XoLv0zp", + "source": { + "@timestamp": "2018-11-27T01:55:19.429Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "36.84.80.31" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "36.84.80.31", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192558 + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "752", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "36.84.80.31" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_NjhUmcBTFzn_XoLd1s3", + "source": { + "@timestamp": "2018-11-27T01:56:06.089Z", + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "197.149.137.86", + "type": "user-session" + } + }, + "sequence": 44216, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "30106", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "197.149.137.86" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_djhUmcBTFzn_XoLd1s3", + "source": { + "@timestamp": "2018-11-27T01:56:06.089Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "30106", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "197.149.137.86" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "197.149.137.86", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44217, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_tjhUmcBTFzn_XoLd1s3", + "source": { + "@timestamp": "2018-11-27T01:56:06.317Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "30106", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "197.149.137.86" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "197.149.137.86", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44218, + "result": "fail", + "session": "unset", + "data": { + "hostname": "197.149.137.86", + "op": "PAM:bad_ident", + "terminal": "ssh" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JtjhUmcBTFzn_XoL7GYK", + "source": { + "@timestamp": "2018-11-27T01:56:36.000Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "26010", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "54.37.191.209" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184398, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "54.37.191.209" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "54.37.191.209", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NtjlUmcBTFzn_XoLuLrU", + "source": { + "@timestamp": "2018-11-27T02:00:45.031Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "26032", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.199.145.205" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "128.199.145.205", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184399, + "result": "fail", + "session": "unset" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "N9jlUmcBTFzn_XoLuLrU", + "source": { + "@timestamp": "2018-11-27T02:00:45.032Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "26032", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.199.145.205" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "128.199.145.205", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184400 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ONjlUmcBTFzn_XoLuLrU", + "source": { + "@timestamp": "2018-11-27T02:00:45.255Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "128.199.145.205", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "128.199.145.205", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184401 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26032", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "128.199.145.205" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "OdjlUmcBTFzn_XoLubrj", + "source": { + "@timestamp": "2018-11-27T02:00:45.301Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32510" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186545, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "OtjlUmcBTFzn_XoLubrj", + "source": { + "@timestamp": "2018-11-27T02:00:45.302Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186546 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32510" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "O9jlUmcBTFzn_XoLubrj", + "source": { + "@timestamp": "2018-11-27T02:00:45.333Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186547, + "result": "fail", + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "107.170.65.109" + } + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32510", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "R9jlUmcBTFzn_XoLvrqH", + "source": { + "@timestamp": "2018-11-27T02:00:46.487Z", + "source": { + "ip": "51.254.140.108" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43217, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "51.254.140.108" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12917", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SNjlUmcBTFzn_XoLvrqH", + "source": { + "@timestamp": "2018-11-27T02:00:46.487Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "12917", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "51.254.140.108" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43218, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "51.254.140.108" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SdjlUmcBTFzn_XoLvrqH", + "source": { + "@timestamp": "2018-11-27T02:00:46.595Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "12917", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.254.140.108" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43219, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "51.254.140.108", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "51.254.140.108", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "StjlUmcBTFzn_XoLvrqH", + "source": { + "@timestamp": "2018-11-27T02:00:47.131Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "12919", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "79.133.56.139" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "79.133.56.139", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43220, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "S9jlUmcBTFzn_XoLvrqH", + "source": { + "@timestamp": "2018-11-27T02:00:47.135Z", + "process": { + "pid": "12919", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "79.133.56.139" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "79.133.56.139", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + }, + "sequence": 43221 + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TNjlUmcBTFzn_XoLvrqH", + "source": { + "@timestamp": "2018-11-27T02:00:47.243Z", + "source": { + "ip": "79.133.56.139" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "79.133.56.139" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "79.133.56.139" + } + }, + "sequence": 43222 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12919" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "wdjmUmcBTFzn_XoL8NQE", + "source": { + "@timestamp": "2018-11-27T02:02:04.698Z", + "process": { + "pid": "19884", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "50.71.229.131" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "50.71.229.131", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142407 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "wtjmUmcBTFzn_XoL8NQE", + "source": { + "@timestamp": "2018-11-27T02:02:04.699Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19884", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "50.71.229.131" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142408, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "50.71.229.131", + "type": "user-session", + "primary": "sshd" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "w9jmUmcBTFzn_XoL8NQE", + "source": { + "@timestamp": "2018-11-27T02:02:04.762Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "50.71.229.131" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142409, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "50.71.229.131", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "50.71.229.131", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19884", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xdjmUmcBTFzn_XoL8tSP", + "source": { + "@timestamp": "2018-11-27T02:02:05.349Z", + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32513" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186548, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xtjmUmcBTFzn_XoL8tSP", + "source": { + "@timestamp": "2018-11-27T02:02:05.350Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32513" + }, + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186549, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "x9jmUmcBTFzn_XoL8tSP", + "source": { + "@timestamp": "2018-11-27T02:02:05.381Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32513", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186550, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "107.170.65.109" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "V9jlUmcBTFzn_XoLPq9B", + "source": { + "@timestamp": "2018-11-27T02:00:13.654Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142398, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "217.182.55.191", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19871", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "217.182.55.191" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WNjlUmcBTFzn_XoLPq9B", + "source": { + "@timestamp": "2018-11-27T02:00:13.656Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "sshd", + "secondary": "217.182.55.191", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 142399, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19871", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "217.182.55.191" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WdjlUmcBTFzn_XoLPq9B", + "source": { + "@timestamp": "2018-11-27T02:00:13.762Z", + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19871", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "217.182.55.191" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142400, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "217.182.55.191", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "217.182.55.191", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "4djmUmcBTFzn_XoLT8Yc", + "source": { + "@timestamp": "2018-11-27T02:01:23.506Z", + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "91.121.110.50", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142401, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19879" + }, + "source": { + "ip": "91.121.110.50" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "4tjmUmcBTFzn_XoLT8Yc", + "source": { + "@timestamp": "2018-11-27T02:01:23.507Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142402, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "91.121.110.50", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19879", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "91.121.110.50" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "49jmUmcBTFzn_XoLT8Yc", + "source": { + "@timestamp": "2018-11-27T02:01:23.614Z", + "auditd": { + "session": "unset", + "data": { + "hostname": "91.121.110.50", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "91.121.110.50", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142403, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19879", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.121.110.50" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ktjnUmcBTFzn_XoLvuUr", + "source": { + "@timestamp": "2018-11-27T02:02:57.473Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32520" + }, + "source": { + "ip": "213.191.147.66" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "213.191.147.66" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186551, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + } + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "k9jnUmcBTFzn_XoLvuUr", + "source": { + "@timestamp": "2018-11-27T02:02:57.474Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186552, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "213.191.147.66", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32520", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "213.191.147.66" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "lNjnUmcBTFzn_XoLvuUr", + "source": { + "@timestamp": "2018-11-27T02:02:57.617Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32520", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "213.191.147.66" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186553, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "213.191.147.66" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "213.191.147.66", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7tjmUmcBTFzn_XoLlMzO", + "source": { + "@timestamp": "2018-11-27T02:01:41.348Z", + "source": { + "ip": "211.219.52.136" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "211.219.52.136", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142404, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19881", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "79jmUmcBTFzn_XoLlMzO", + "source": { + "@timestamp": "2018-11-27T02:01:41.349Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19881", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "211.219.52.136" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "211.219.52.136", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142405 + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8NjmUmcBTFzn_XoLlMzO", + "source": { + "@timestamp": "2018-11-27T02:01:41.509Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19881", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "211.219.52.136" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "211.219.52.136", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142406, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "211.219.52.136", + "terminal": "ssh" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "h9joUmcBTFzn_XoLK-92", + "source": { + "@timestamp": "2018-11-27T02:03:25.452Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32523" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186554, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "iNjoUmcBTFzn_XoLK-92", + "source": { + "@timestamp": "2018-11-27T02:03:25.453Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32523" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186555 + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "idjoUmcBTFzn_XoLK-92", + "source": { + "@timestamp": "2018-11-27T02:03:25.484Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32523", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "107.170.65.109" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186556 + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KtjoUmcBTFzn_XoLAuyv", + "source": { + "@timestamp": "2018-11-27T02:03:15.008Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "191.255.74.211", + "type": "user-session" + } + }, + "sequence": 43223 + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12938", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "191.255.74.211" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "K9joUmcBTFzn_XoLAuyv", + "source": { + "@timestamp": "2018-11-27T02:03:15.008Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "191.255.74.211" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43224 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12938", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "191.255.74.211" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "LNjoUmcBTFzn_XoLAuyv", + "source": { + "@timestamp": "2018-11-27T02:03:15.172Z", + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "data": { + "hostname": "191.255.74.211", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "191.255.74.211", + "type": "user-session" + } + }, + "sequence": 43225, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12938", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "191.255.74.211" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "F9jlUmcBTFzn_XoLX7Lz", + "source": { + "@timestamp": "2018-11-27T02:00:22.277Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "152.115.61.52" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44222, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "152.115.61.52", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "30191", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GNjlUmcBTFzn_XoLX7Lz", + "source": { + "@timestamp": "2018-11-27T02:00:22.277Z", + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "152.115.61.52" + } + }, + "sequence": 44223, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "30191", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "152.115.61.52" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GdjlUmcBTFzn_XoLX7Lz", + "source": { + "@timestamp": "2018-11-27T02:00:22.397Z", + "process": { + "pid": "30191", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "152.115.61.52" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "152.115.61.52", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "152.115.61.52" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44224 + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BtnuUmcBTFzn_XoLAnDn", + "source": { + "@timestamp": "2018-11-27T02:09:48.280Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30394" + }, + "source": { + "ip": "185.227.110.251" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "185.227.110.251" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44237, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "B9nuUmcBTFzn_XoLAnDn", + "source": { + "@timestamp": "2018-11-27T02:09:48.280Z", + "source": { + "ip": "185.227.110.251" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44238, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "185.227.110.251", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30394" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CNnuUmcBTFzn_XoLAnDn", + "source": { + "@timestamp": "2018-11-27T02:09:48.468Z", + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "30394", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.227.110.251" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "185.227.110.251" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "185.227.110.251", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 44239, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "X9nuUmcBTFzn_XoLDHBr", + "source": { + "@timestamp": "2018-11-27T02:09:50.721Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "218.149.228.158" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "218.149.228.158", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184418, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26142", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YNnuUmcBTFzn_XoLDHBr", + "source": { + "@timestamp": "2018-11-27T02:09:50.722Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "26142", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "218.149.228.158" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "218.149.228.158", + "type": "user-session" + } + }, + "sequence": 184419, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YdnuUmcBTFzn_XoLDHBr", + "source": { + "@timestamp": "2018-11-27T02:09:51.346Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184420, + "result": "fail", + "session": "unset", + "data": { + "hostname": "218.149.228.158", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "218.149.228.158" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "26142", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "218.149.228.158" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "79ntUmcBTFzn_XoLGltv", + "source": { + "@timestamp": "2018-11-27T02:08:48.772Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186566, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32556", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8NntUmcBTFzn_XoLGltv", + "source": { + "@timestamp": "2018-11-27T02:08:48.774Z", + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186567, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32556", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8dntUmcBTFzn_XoLGltv", + "source": { + "@timestamp": "2018-11-27T02:08:48.804Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186568, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "107.170.65.109", + "op": "PAM:bad_ident" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32556", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "99ntUmcBTFzn_XoLHFsj", + "source": { + "@timestamp": "2018-11-27T02:08:49.207Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "sequence": 184409, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "145.239.82.62", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26086", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "145.239.82.62" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-NntUmcBTFzn_XoLHFsj", + "source": { + "@timestamp": "2018-11-27T02:08:49.208Z", + "auditd": { + "sequence": 184410, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "145.239.82.62", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "26086", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "145.239.82.62" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-dntUmcBTFzn_XoLHFsj", + "source": { + "@timestamp": "2018-11-27T02:08:49.341Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "26086" + }, + "source": { + "ip": "145.239.82.62" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "145.239.82.62", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184411, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "145.239.82.62" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CNntUmcBTFzn_XoLc2Oa", + "source": { + "@timestamp": "2018-11-27T02:09:11.600Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19924", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "109.115.54.245" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "sequence": 142413, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "109.115.54.245", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CdntUmcBTFzn_XoLc2Oa", + "source": { + "@timestamp": "2018-11-27T02:09:11.601Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "109.115.54.245", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142414, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19924" + }, + "source": { + "ip": "109.115.54.245" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CtntUmcBTFzn_XoLc2Oa", + "source": { + "@timestamp": "2018-11-27T02:09:11.721Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19924", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "109.115.54.245" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "109.115.54.245", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "109.115.54.245", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142415 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "RNnuUmcBTFzn_XoLWnfO", + "source": { + "@timestamp": "2018-11-27T02:10:10.787Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32565" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186569, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "RdnuUmcBTFzn_XoLWnfO", + "source": { + "@timestamp": "2018-11-27T02:10:10.788Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186570, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32565", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "RtnuUmcBTFzn_XoLWnfO", + "source": { + "@timestamp": "2018-11-27T02:10:10.819Z", + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32565", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186571, + "result": "fail", + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + } + } + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "AdntUmcBTFzn_XoLiGV_", + "source": { + "@timestamp": "2018-11-27T02:09:16.902Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19926", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "71.90.181.64" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142416, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "71.90.181.64", + "type": "user-session" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "AtntUmcBTFzn_XoLiGV_", + "source": { + "@timestamp": "2018-11-27T02:09:16.903Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19926", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "71.90.181.64" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "71.90.181.64", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 142417 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "A9ntUmcBTFzn_XoLiGV_", + "source": { + "@timestamp": "2018-11-27T02:09:16.974Z", + "auditd": { + "sequence": 142418, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "71.90.181.64" + }, + "summary": { + "object": { + "secondary": "71.90.181.64", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "19926", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "71.90.181.64" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2tntUmcBTFzn_XoLSl-h", + "source": { + "@timestamp": "2018-11-27T02:09:01.110Z", + "event": { + "type": "user_acct", + "action": "was-authorized", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "830", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 192568, + "result": "success", + "session": "unset", + "data": { + "terminal": "cron", + "op": "PAM:accounting", + "acct": "root" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "29ntUmcBTFzn_XoLSl-h", + "source": { + "@timestamp": "2018-11-27T02:09:01.110Z", + "auditd": { + "sequence": 192569, + "result": "success", + "session": "unset", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:setcred" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "acquired-credentials", + "module": "auditd", + "category": "user-login", + "type": "cred_acq" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "830", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3NntUmcBTFzn_XoLSl-h", + "source": { + "@timestamp": "2018-11-27T02:09:01.112Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0", + "uid": "0" + }, + "process": { + "pid": "830", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "op": "PAM:session_open", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + } + }, + "sequence": 192571, + "result": "success", + "session": "9864" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_start", + "action": "started-session" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3dntUmcBTFzn_XoLSl-h", + "source": { + "@timestamp": "2018-11-27T02:09:01.215Z", + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0", + "uid": "0" + }, + "process": { + "pid": "830", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 192572, + "result": "success", + "session": "9864", + "data": { + "op": "PAM:setcred", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3tntUmcBTFzn_XoLSl-h", + "source": { + "@timestamp": "2018-11-27T02:09:01.216Z", + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "830", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "op": "PAM:session_close", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 192573, + "result": "success", + "session": "9864" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "ended-session", + "module": "auditd", + "category": "user-login", + "type": "user_end" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_dntUmcBTFzn_XoLTV_Y", + "source": { + "@timestamp": "2018-11-27T02:09:01.933Z", + "event": { + "category": "user-login", + "type": "user_acct", + "action": "was-authorized", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "26094", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 184412, + "result": "success", + "session": "unset", + "data": { + "terminal": "cron", + "op": "PAM:accounting", + "acct": "root" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_tntUmcBTFzn_XoLTV_Y", + "source": { + "@timestamp": "2018-11-27T02:09:01.933Z", + "event": { + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "26094", + "exe": "/usr/sbin/cron" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184413, + "result": "success", + "session": "unset", + "data": { + "terminal": "cron", + "op": "PAM:setcred", + "acct": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_9ntUmcBTFzn_XoLTV_Y", + "source": { + "@timestamp": "2018-11-27T02:09:01.935Z", + "auditd": { + "result": "success", + "session": "9860", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:session_open" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184415 + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "action": "started-session", + "module": "auditd", + "category": "user-login", + "type": "user_start" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0", + "uid": "0" + }, + "process": { + "pid": "26094", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ANntUmcBTFzn_XoLTWDY", + "source": { + "@timestamp": "2018-11-27T02:09:02.034Z", + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "session": "9860", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:setcred" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + } + }, + "sequence": 184416, + "result": "success" + }, + "event": { + "action": "disposed-credentials", + "module": "auditd", + "category": "user-login", + "type": "cred_disp" + }, + "user": { + "uid": "0", + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + } + }, + "process": { + "pid": "26094", + "exe": "/usr/sbin/cron" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "AdntUmcBTFzn_XoLTWDY", + "source": { + "@timestamp": "2018-11-27T02:09:02.035Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_end", + "action": "ended-session" + }, + "user": { + "name_map": { + "uid": "root", + "auid": "root" + }, + "auid": "0", + "uid": "0" + }, + "process": { + "pid": "26094", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:session_close" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + } + }, + "sequence": 184417, + "result": "success", + "session": "9860" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "odnuUmcBTFzn_XoLa3iq", + "source": { + "@timestamp": "2018-11-27T02:10:15.075Z", + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "185.244.25.108" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + }, + "sequence": 44240, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30401" + }, + "source": { + "ip": "185.244.25.108" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "otnuUmcBTFzn_XoLa3iq", + "source": { + "@timestamp": "2018-11-27T02:10:15.075Z", + "process": { + "pid": "30401", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "185.244.25.108" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "185.244.25.108", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44241, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "o9nuUmcBTFzn_XoLa3iq", + "source": { + "@timestamp": "2018-11-27T02:10:15.175Z", + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "data": { + "hostname": "185.244.25.108", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "185.244.25.108", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44242, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "30401", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.244.25.108" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "z9nuUmcBTFzn_XoLh3rt", + "source": { + "@timestamp": "2018-11-27T02:10:22.335Z", + "auditd": { + "summary": { + "object": { + "primary": "sshd", + "secondary": "146.196.59.36", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + }, + "sequence": 44243, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "30405", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "146.196.59.36" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0NnuUmcBTFzn_XoLh3rt", + "source": { + "@timestamp": "2018-11-27T02:10:22.335Z", + "source": { + "ip": "146.196.59.36" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "146.196.59.36" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44244 + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "30405", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0dnuUmcBTFzn_XoLh3rt", + "source": { + "@timestamp": "2018-11-27T02:10:22.583Z", + "process": { + "pid": "30405", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "146.196.59.36" + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44245, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "146.196.59.36", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "146.196.59.36" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "9tnuUmcBTFzn_XoLM3ME", + "source": { + "@timestamp": "2018-11-27T02:10:00.602Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "file_integrity", + "action": [ + "created" + ] + }, + "file": { + "size": 0, + "type": "file", + "uid": 0, + "owner": "root", + "group": "root", + "mode": "0000", + "mtime": "2018-11-27T02:10:00.596Z", + "gid": 0, + "inode": "185", + "path": "/etc/sed6b0EHM", + "ctime": "2018-11-27T02:10:00.596Z" + }, + "hash": { + "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "99nuUmcBTFzn_XoLM3ME", + "source": { + "@timestamp": "2018-11-27T02:10:00.603Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "event": { + "module": "file_integrity", + "action": [ + "updated" + ] + }, + "file": { + "inode": "185", + "size": 50, + "type": "file", + "uid": 0, + "owner": "root", + "mode": "0000", + "path": "/etc/sed6b0EHM", + "group": "root", + "mtime": "2018-11-27T02:10:00.600Z", + "ctime": "2018-11-27T02:10:00.600Z", + "gid": 0 + }, + "hash": { + "sha1": "58a8b2bb04893785eb5a48598a16a3fa8ad2fa36" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-NnuUmcBTFzn_XoLM3ME", + "source": { + "@timestamp": "2018-11-27T02:10:00.605Z", + "file": { + "path": "/etc/sed6b0EHM" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "file_integrity", + "action": [ + "attributes_modified" + ] + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-dnuUmcBTFzn_XoLM3ME", + "source": { + "@timestamp": "2018-11-27T02:10:00.606Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "file_integrity", + "action": [ + "moved" + ] + }, + "file": { + "path": "/etc/sed6b0EHM" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-tnuUmcBTFzn_XoLM3ME", + "source": { + "@timestamp": "2018-11-27T02:10:00.607Z", + "event": { + "action": [ + "created" + ], + "module": "file_integrity" + }, + "file": { + "owner": "root", + "uid": 0, + "mode": "0644", + "inode": "185", + "mtime": "2018-11-27T02:10:00.600Z", + "gid": 0, + "group": "root", + "path": "/etc/hosts", + "ctime": "2018-11-27T02:10:00.600Z", + "type": "file", + "size": 205 + }, + "hash": { + "sha1": "5a4ccf92aa02bc100c5b20faeed3691286e039e5" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VdnzUmcBTFzn_XoLR-PG", + "source": { + "@timestamp": "2018-11-27T02:15:33.590Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "51.75.23.199", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43238 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "13014", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.75.23.199" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VtnzUmcBTFzn_XoLR-PG", + "source": { + "@timestamp": "2018-11-27T02:15:33.590Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13014" + }, + "source": { + "ip": "51.75.23.199" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43239, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "51.75.23.199", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "V9nzUmcBTFzn_XoLR-PG", + "source": { + "@timestamp": "2018-11-27T02:15:33.702Z", + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "13014", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.75.23.199" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "51.75.23.199", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43240, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "51.75.23.199" + } + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3tnzUmcBTFzn_XoLUOOL", + "source": { + "@timestamp": "2018-11-27T02:15:35.841Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "939" + }, + "source": { + "ip": "181.28.191.54" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "181.28.191.54", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192586, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "39nzUmcBTFzn_XoLUOOL", + "source": { + "@timestamp": "2018-11-27T02:15:35.843Z", + "auditd": { + "sequence": 192587, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "181.28.191.54", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "939" + }, + "source": { + "ip": "181.28.191.54" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "4NnzUmcBTFzn_XoLUOOL", + "source": { + "@timestamp": "2018-11-27T02:15:36.030Z", + "auditd": { + "sequence": 192588, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "181.28.191.54", + "terminal": "ssh" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "181.28.191.54" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "939", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "181.28.191.54" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-NnxUmcBTFzn_XoLYbnr", + "source": { + "@timestamp": "2018-11-27T02:13:29.217Z", + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "180.76.239.66" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 184427, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "26172" + }, + "source": { + "ip": "180.76.239.66" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-dnxUmcBTFzn_XoLYbnr", + "source": { + "@timestamp": "2018-11-27T02:13:29.218Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "26172", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "180.76.239.66" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "180.76.239.66" + } + }, + "sequence": 184428, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-tnxUmcBTFzn_XoLYbnr", + "source": { + "@timestamp": "2018-11-27T02:13:29.430Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184429, + "result": "fail", + "session": "unset", + "data": { + "hostname": "180.76.239.66", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "180.76.239.66", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "26172", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "180.76.239.66" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "H9nxUmcBTFzn_XoLY7rL", + "source": { + "@timestamp": "2018-11-27T02:13:29.694Z", + "process": { + "pid": "30475", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "164.132.43.198" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44252, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "164.132.43.198", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "INnxUmcBTFzn_XoLY7rL", + "source": { + "@timestamp": "2018-11-27T02:13:29.694Z", + "source": { + "ip": "164.132.43.198" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "164.132.43.198", + "type": "user-session" + } + }, + "sequence": 44253, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "30475", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "IdnxUmcBTFzn_XoLY7rL", + "source": { + "@timestamp": "2018-11-27T02:13:29.798Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "30475", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "164.132.43.198" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "164.132.43.198", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "164.132.43.198", + "type": "user-session" + } + }, + "sequence": 44254 + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "LtnwUmcBTFzn_XoL5q-R", + "source": { + "@timestamp": "2018-11-27T02:12:57.636Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32583" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186578, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "L9nwUmcBTFzn_XoL5q-R", + "source": { + "@timestamp": "2018-11-27T02:12:57.638Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186579 + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32583", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "MNnwUmcBTFzn_XoL5q-R", + "source": { + "@timestamp": "2018-11-27T02:12:57.669Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.65.109", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186580 + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32583", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ctnyUmcBTFzn_XoLDsgI", + "source": { + "@timestamp": "2018-11-27T02:14:13.278Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32591" + }, + "source": { + "ip": "182.61.32.147" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186581, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "182.61.32.147" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "c9nyUmcBTFzn_XoLDsgI", + "source": { + "@timestamp": "2018-11-27T02:14:13.279Z", + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "182.61.32.147", + "type": "user-session" + } + }, + "sequence": 186582, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32591" + }, + "source": { + "ip": "182.61.32.147" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dNnyUmcBTFzn_XoLDsgI", + "source": { + "@timestamp": "2018-11-27T02:14:13.485Z", + "source": { + "ip": "182.61.32.147" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "sequence": 186583, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "182.61.32.147" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "182.61.32.147", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32591" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "M9nyUmcBTFzn_XoLLcvi", + "source": { + "@timestamp": "2018-11-27T02:14:21.431Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186584, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32593" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NNnyUmcBTFzn_XoLLcvi", + "source": { + "@timestamp": "2018-11-27T02:14:21.432Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + } + }, + "sequence": 186585, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32593", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NdnyUmcBTFzn_XoLLcvi", + "source": { + "@timestamp": "2018-11-27T02:14:21.462Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186586, + "result": "fail", + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32593", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NdnxUmcBTFzn_XoL1sT3", + "source": { + "@timestamp": "2018-11-27T02:13:59.181Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "924", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "201.155.38.30" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "201.155.38.30" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 192580, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NtnxUmcBTFzn_XoL1sT3", + "source": { + "@timestamp": "2018-11-27T02:13:59.183Z", + "source": { + "ip": "201.155.38.30" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "201.155.38.30", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 192581, + "result": "fail" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "924", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "N9nxUmcBTFzn_XoL1sT3", + "source": { + "@timestamp": "2018-11-27T02:13:59.755Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "924", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "201.155.38.30" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "201.155.38.30" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "201.155.38.30" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192582, + "result": "fail", + "session": "unset" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "I9nxUmcBTFzn_XoL58U9", + "source": { + "@timestamp": "2018-11-27T02:14:03.342Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13001" + }, + "source": { + "ip": "137.74.199.177" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43235, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "137.74.199.177" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JNnxUmcBTFzn_XoL58U9", + "source": { + "@timestamp": "2018-11-27T02:14:03.342Z", + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "13001", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "137.74.199.177" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43236, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "137.74.199.177", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JdnxUmcBTFzn_XoL58U9", + "source": { + "@timestamp": "2018-11-27T02:14:03.458Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "137.74.199.177", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "137.74.199.177", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43237, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13001" + }, + "source": { + "ip": "137.74.199.177" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "jNnzUmcBTFzn_XoLLeBy", + "source": { + "@timestamp": "2018-11-27T02:15:26.857Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "pid": "937", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "190.0.10.138" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "190.0.10.138", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192583, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "jdnzUmcBTFzn_XoLLeBy", + "source": { + "@timestamp": "2018-11-27T02:15:26.858Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "937", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "190.0.10.138" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "190.0.10.138" + } + }, + "sequence": 192584, + "result": "fail" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "jtnzUmcBTFzn_XoLLeBy", + "source": { + "@timestamp": "2018-11-27T02:15:26.950Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "pid": "937", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "190.0.10.138" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "190.0.10.138" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "190.0.10.138", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192585 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "n9nzUmcBTFzn_XoLXeXh", + "source": { + "@timestamp": "2018-11-27T02:15:39.252Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "142.93.18.15" + } + }, + "sequence": 44255, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "30517", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "142.93.18.15" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "oNnzUmcBTFzn_XoLXeXh", + "source": { + "@timestamp": "2018-11-27T02:15:39.252Z", + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "30517", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "142.93.18.15" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "142.93.18.15", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 44256 + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "odnzUmcBTFzn_XoLXeXh", + "source": { + "@timestamp": "2018-11-27T02:15:39.292Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "30517", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "142.93.18.15" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "ssh", + "secondary": "142.93.18.15", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 44257, + "result": "fail", + "session": "unset", + "data": { + "hostname": "142.93.18.15", + "op": "PAM:bad_ident", + "terminal": "ssh" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Utr3UmcBTFzn_XoLVD0D", + "source": { + "@timestamp": "2018-11-27T02:19:58.873Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "secondary": "164.132.197.108", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + }, + "sequence": 184439, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "26214", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "164.132.197.108" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "U9r3UmcBTFzn_XoLVD0D", + "source": { + "@timestamp": "2018-11-27T02:19:58.874Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "26214", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "164.132.197.108" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "164.132.197.108", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184440 + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VNr3UmcBTFzn_XoLVD0D", + "source": { + "@timestamp": "2018-11-27T02:19:58.986Z", + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "164.132.197.108" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "164.132.197.108", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184441, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "26214", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "164.132.197.108" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ltr3UmcBTFzn_XoLWD2x", + "source": { + "@timestamp": "2018-11-27T02:20:00.071Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32625", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186602, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "l9r3UmcBTFzn_XoLWD2x", + "source": { + "@timestamp": "2018-11-27T02:20:00.072Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186603, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32625", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "mNr3UmcBTFzn_XoLWD2x", + "source": { + "@timestamp": "2018-11-27T02:20:00.103Z", + "process": { + "pid": "32625", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 186604, + "result": "fail", + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "op": "PAM:bad_ident", + "terminal": "ssh" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "htr4UmcBTFzn_XoLpVlZ", + "source": { + "@timestamp": "2018-11-27T02:21:25.223Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "37.195.105.57" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43262, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "13059", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.195.105.57" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "h9r4UmcBTFzn_XoLpVlZ", + "source": { + "@timestamp": "2018-11-27T02:21:25.227Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "13059", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.195.105.57" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "37.195.105.57", + "type": "user-session" + } + }, + "sequence": 43263, + "result": "fail" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "iNr4UmcBTFzn_XoLpVlZ", + "source": { + "@timestamp": "2018-11-27T02:21:25.431Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "13059", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.195.105.57" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "sequence": 43264, + "result": "fail", + "session": "unset", + "data": { + "hostname": "37.195.105.57", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "37.195.105.57", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "idr4UmcBTFzn_XoLpVnm", + "source": { + "@timestamp": "2018-11-27T02:21:25.372Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32633" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186605, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "itr4UmcBTFzn_XoLpVnm", + "source": { + "@timestamp": "2018-11-27T02:21:25.373Z", + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186606, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32633", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "i9r4UmcBTFzn_XoLpVnm", + "source": { + "@timestamp": "2018-11-27T02:21:25.404Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32633", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 186607, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6Nr4UmcBTFzn_XoL4l6d", + "source": { + "@timestamp": "2018-11-27T02:21:40.914Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "20001", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "82.62.233.163" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142431, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "82.62.233.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6dr4UmcBTFzn_XoL4l6d", + "source": { + "@timestamp": "2018-11-27T02:21:40.915Z", + "process": { + "pid": "20001", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "82.62.233.163" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "82.62.233.163", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142432, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6tr4UmcBTFzn_XoL4l6d", + "source": { + "@timestamp": "2018-11-27T02:21:41.064Z", + "source": { + "ip": "82.62.233.163" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "82.62.233.163" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "82.62.233.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142433, + "result": "fail" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "20001", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Xtr5UmcBTFzn_XoL9Ha7", + "source": { + "@timestamp": "2018-11-27T02:22:51.088Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32641" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186608, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "X9r5UmcBTFzn_XoL9Ha7", + "source": { + "@timestamp": "2018-11-27T02:22:51.090Z", + "auditd": { + "sequence": 186609, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + } + } + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32641", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YNr5UmcBTFzn_XoL9Ha7", + "source": { + "@timestamp": "2018-11-27T02:22:51.120Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32641", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186610, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "107.170.65.109" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + } + } + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZNr5UmcBTFzn_XoL03NO", + "source": { + "@timestamp": "2018-11-27T02:22:42.532Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "104.248.11.46", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 192601 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "986", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.248.11.46" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Zdr5UmcBTFzn_XoL03NO", + "source": { + "@timestamp": "2018-11-27T02:22:42.533Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "986" + }, + "source": { + "ip": "104.248.11.46" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "104.248.11.46", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192602 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Ztr5UmcBTFzn_XoL03NO", + "source": { + "@timestamp": "2018-11-27T02:22:42.564Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "986" + }, + "source": { + "ip": "104.248.11.46" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "104.248.11.46", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "104.248.11.46", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192603, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Xdr5UmcBTFzn_XoL23R3", + "source": { + "@timestamp": "2018-11-27T02:22:44.622Z", + "source": { + "ip": "91.67.54.251" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "91.67.54.251" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192604, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "988", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Xtr5UmcBTFzn_XoL23R3", + "source": { + "@timestamp": "2018-11-27T02:22:44.623Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "988", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.67.54.251" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "sequence": 192605, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "91.67.54.251", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "X9r5UmcBTFzn_XoL23R3", + "source": { + "@timestamp": "2018-11-27T02:22:44.754Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "988", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.67.54.251" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "91.67.54.251" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "91.67.54.251", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192606, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "INr4UmcBTFzn_XoLPlHT", + "source": { + "@timestamp": "2018-11-27T02:20:58.980Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30623" + }, + "source": { + "ip": "35.189.59.154" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "35.189.59.154", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 44267, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Idr4UmcBTFzn_XoLPlHT", + "source": { + "@timestamp": "2018-11-27T02:20:58.980Z", + "source": { + "ip": "35.189.59.154" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "35.189.59.154" + } + }, + "sequence": 44268, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "30623", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Itr4UmcBTFzn_XoLPlHT", + "source": { + "@timestamp": "2018-11-27T02:20:59.156Z", + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "35.189.59.154", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "35.189.59.154", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 44269 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "30623", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "35.189.59.154" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7Nr3UmcBTFzn_XoLyEYO", + "source": { + "@timestamp": "2018-11-27T02:20:28.574Z", + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30616" + }, + "source": { + "ip": "91.196.149.76" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44264, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "91.196.149.76", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7dr3UmcBTFzn_XoLyEYO", + "source": { + "@timestamp": "2018-11-27T02:20:28.574Z", + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "91.196.149.76", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44265, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30616" + }, + "source": { + "ip": "91.196.149.76" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7tr3UmcBTFzn_XoLyEYO", + "source": { + "@timestamp": "2018-11-27T02:20:28.710Z", + "process": { + "pid": "30616", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.196.149.76" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "91.196.149.76" + }, + "summary": { + "object": { + "secondary": "91.196.149.76", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 44266, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "str3UmcBTFzn_XoLOzru", + "source": { + "@timestamp": "2018-11-27T02:19:52.704Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "13051", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "193.70.38.229" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43259, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "193.70.38.229", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "s9r3UmcBTFzn_XoLOzru", + "source": { + "@timestamp": "2018-11-27T02:19:52.704Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "process": { + "pid": "13051", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "193.70.38.229" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "193.70.38.229", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43260, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "tNr3UmcBTFzn_XoLOzru", + "source": { + "@timestamp": "2018-11-27T02:19:52.820Z", + "process": { + "pid": "13051", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "193.70.38.229" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "193.70.38.229" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "193.70.38.229", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43261, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "O9r9UmcBTFzn_XoL4syL", + "source": { + "@timestamp": "2018-11-27T02:27:08.552Z", + "source": { + "ip": "150.95.110.147" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "150.95.110.147", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43265, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "13101", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "PNr9UmcBTFzn_XoL4syL", + "source": { + "@timestamp": "2018-11-27T02:27:08.552Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "13101", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "150.95.110.147" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "150.95.110.147", + "type": "user-session" + } + }, + "sequence": 43266 + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Pdr9UmcBTFzn_XoL4syL", + "source": { + "@timestamp": "2018-11-27T02:27:08.760Z", + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "150.95.110.147" + }, + "summary": { + "object": { + "secondary": "150.95.110.147", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 43267, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13101" + }, + "source": { + "ip": "150.95.110.147" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5tr9UmcBTFzn_XoL7Mz5", + "source": { + "@timestamp": "2018-11-27T02:27:11.246Z", + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186617, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32666" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "59r9UmcBTFzn_XoL7Mz5", + "source": { + "@timestamp": "2018-11-27T02:27:11.247Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32666" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186618, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6Nr9UmcBTFzn_XoL7Mz5", + "source": { + "@timestamp": "2018-11-27T02:27:11.279Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32666", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "107.170.65.109", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186619, + "result": "fail" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qtr7UmcBTFzn_XoLqZv2", + "source": { + "@timestamp": "2018-11-27T02:24:43.020Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "134.175.33.189" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142434 + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "20021", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "134.175.33.189" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "q9r7UmcBTFzn_XoLqZv2", + "source": { + "@timestamp": "2018-11-27T02:24:43.021Z", + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "134.175.33.189", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142435, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "20021", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "134.175.33.189" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rNr7UmcBTFzn_XoLqZv2", + "source": { + "@timestamp": "2018-11-27T02:24:43.229Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "sequence": 142436, + "result": "fail", + "session": "unset", + "data": { + "hostname": "134.175.33.189", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "134.175.33.189", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "20021" + }, + "source": { + "ip": "134.175.33.189" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "V9r7UmcBTFzn_XoLRZIS", + "source": { + "@timestamp": "2018-11-27T02:24:17.192Z", + "process": { + "pid": "32649", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186611, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WNr7UmcBTFzn_XoLRZIS", + "source": { + "@timestamp": "2018-11-27T02:24:17.193Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 186612, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32649", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Wdr7UmcBTFzn_XoLRZIS", + "source": { + "@timestamp": "2018-11-27T02:24:17.223Z", + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32649", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 186613, + "result": "fail", + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "op": "PAM:bad_ident", + "terminal": "ssh" + } + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "tdr8UmcBTFzn_XoLmK-a", + "source": { + "@timestamp": "2018-11-27T02:25:44.112Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186614 + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32658", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ttr8UmcBTFzn_XoLmK-a", + "source": { + "@timestamp": "2018-11-27T02:25:44.114Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186615, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32658" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "t9r8UmcBTFzn_XoLmK-a", + "source": { + "@timestamp": "2018-11-27T02:25:44.144Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186616 + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32658", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Kdr8UmcBTFzn_XoL8rcs", + "source": { + "@timestamp": "2018-11-27T02:26:07.005Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "1003", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "144.217.12.168" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "sshd", + "secondary": "144.217.12.168", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + }, + "sequence": 192607, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Ktr8UmcBTFzn_XoL8rcs", + "source": { + "@timestamp": "2018-11-27T02:26:07.006Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "1003", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "144.217.12.168" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "144.217.12.168", + "type": "user-session" + } + }, + "sequence": 192608 + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "K9r8UmcBTFzn_XoL8rcs", + "source": { + "@timestamp": "2018-11-27T02:26:07.048Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1003", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "144.217.12.168" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "144.217.12.168", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "144.217.12.168", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 192609 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6dr7UmcBTFzn_XoLa5XB", + "source": { + "@timestamp": "2018-11-27T02:24:27.095Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "26248", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "159.138.6.50" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "159.138.6.50", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184442, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + } + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6tr7UmcBTFzn_XoLa5XB", + "source": { + "@timestamp": "2018-11-27T02:24:27.096Z", + "process": { + "pid": "26248", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "159.138.6.50" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184443, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "159.138.6.50", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "69r7UmcBTFzn_XoLa5XB", + "source": { + "@timestamp": "2018-11-27T02:24:27.306Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "26248", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "159.138.6.50" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "159.138.6.50", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "159.138.6.50", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 184444, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "mdr9UmcBTFzn_XoLS7_z", + "source": { + "@timestamp": "2018-11-27T02:26:30.024Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "178.33.228.67", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192610, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "1010", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.33.228.67" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "mtr9UmcBTFzn_XoLS7_z", + "source": { + "@timestamp": "2018-11-27T02:26:30.025Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1010", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.33.228.67" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "178.33.228.67", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192611, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "m9r9UmcBTFzn_XoLS7_z", + "source": { + "@timestamp": "2018-11-27T02:26:30.133Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "178.33.228.67", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "178.33.228.67", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192612, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "1010" + }, + "source": { + "ip": "178.33.228.67" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Gdr-UmcBTFzn_XoLHdFd", + "source": { + "@timestamp": "2018-11-27T02:27:23.630Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "213.34.172.74", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44273 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30753" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "213.34.172.74" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Gtr-UmcBTFzn_XoLHdFd", + "source": { + "@timestamp": "2018-11-27T02:27:23.634Z", + "source": { + "ip": "213.34.172.74" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "213.34.172.74", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44274 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30753" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "G9r-UmcBTFzn_XoLHdFd", + "source": { + "@timestamp": "2018-11-27T02:27:23.758Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "30753", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "213.34.172.74" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44275, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "213.34.172.74", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "213.34.172.74", + "type": "user-session" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "o9r7UmcBTFzn_XoLJpB1", + "source": { + "@timestamp": "2018-11-27T02:24:09.351Z", + "process": { + "pid": "30690", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "175.205.114.52" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "175.205.114.52", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44270 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "pNr7UmcBTFzn_XoLJpB1", + "source": { + "@timestamp": "2018-11-27T02:24:09.351Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "175.205.114.52", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44271, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "30690", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "175.205.114.52" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "pdr7UmcBTFzn_XoLJpB1", + "source": { + "@timestamp": "2018-11-27T02:24:09.523Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "175.205.114.52" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "175.205.114.52", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44272 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30690" + }, + "source": { + "ip": "175.205.114.52" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3NsDU2cBTFzn_XoLlEgC", + "source": { + "@timestamp": "2018-11-27T02:33:21.687Z", + "auditd": { + "sequence": 186632, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "92.86.47.26", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "92.86.47.26" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32702", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "92.86.47.26" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "a9sDU2cBTFzn_XoLmUlp", + "source": { + "@timestamp": "2018-11-27T02:33:23.071Z", + "auditd": { + "sequence": 192616, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "145.239.137.89" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "1048" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "145.239.137.89" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "bNsDU2cBTFzn_XoLmUlp", + "source": { + "@timestamp": "2018-11-27T02:33:23.072Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "1048", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "145.239.137.89" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "145.239.137.89", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192617 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "bdsDU2cBTFzn_XoLmUlp", + "source": { + "@timestamp": "2018-11-27T02:33:23.187Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "145.239.137.89", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "145.239.137.89" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192618, + "result": "fail" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "1048", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "145.239.137.89" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "f9sDU2cBTFzn_XoLp0rb", + "source": { + "@timestamp": "2018-11-27T02:33:26.769Z", + "auditd": { + "sequence": 142437, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "115.113.54.122", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "20065", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "115.113.54.122" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gNsDU2cBTFzn_XoLp0rb", + "source": { + "@timestamp": "2018-11-27T02:33:26.771Z", + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "115.113.54.122", + "type": "user-session" + } + }, + "sequence": 142438, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "process": { + "pid": "20065", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "115.113.54.122" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gdsDU2cBTFzn_XoLp0rb", + "source": { + "@timestamp": "2018-11-27T02:33:27.053Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "20065", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "115.113.54.122" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "115.113.54.122", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "115.113.54.122", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142439, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "J9sGU2cBTFzn_XoLiIku", + "source": { + "@timestamp": "2018-11-27T02:36:35.268Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "26335", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.59.9.162" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "37.59.9.162" + } + }, + "sequence": 184445 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KNsGU2cBTFzn_XoLiIku", + "source": { + "@timestamp": "2018-11-27T02:36:35.269Z", + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "26335" + }, + "source": { + "ip": "37.59.9.162" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "37.59.9.162" + } + }, + "sequence": 184446 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KdsGU2cBTFzn_XoLiIku", + "source": { + "@timestamp": "2018-11-27T02:36:35.380Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "26335", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.59.9.162" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "37.59.9.162", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184447, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "37.59.9.162", + "terminal": "ssh" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "uNsFU2cBTFzn_XoLNGx8", + "source": { + "@timestamp": "2018-11-27T02:35:08.305Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "source": { + "ip": "81.174.25.52" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "81.174.25.52" + } + }, + "sequence": 192619 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "1062", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "udsFU2cBTFzn_XoLNGx8", + "source": { + "@timestamp": "2018-11-27T02:35:08.307Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "1062", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "81.174.25.52" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192620, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "81.174.25.52" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "utsFU2cBTFzn_XoLNGx8", + "source": { + "@timestamp": "2018-11-27T02:35:08.440Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "81.174.25.52" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "81.174.25.52", + "type": "user-session" + } + }, + "sequence": 192621 + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "1062", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "81.174.25.52" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "yNsFU2cBTFzn_XoLA2fV", + "source": { + "@timestamp": "2018-11-27T02:34:55.845Z", + "source": { + "ip": "74.208.43.208" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "74.208.43.208", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 44282, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30899" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ydsFU2cBTFzn_XoLA2fV", + "source": { + "@timestamp": "2018-11-27T02:34:55.849Z", + "source": { + "ip": "74.208.43.208" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "74.208.43.208", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44283, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "30899", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ytsFU2cBTFzn_XoLA2fV", + "source": { + "@timestamp": "2018-11-27T02:34:55.873Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30899" + }, + "source": { + "ip": "74.208.43.208" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "74.208.43.208", + "terminal": "ssh" + }, + "summary": { + "object": { + "secondary": "74.208.43.208", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 44284 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "vNsHU2cBTFzn_XoLOZig", + "source": { + "@timestamp": "2018-11-27T02:37:20.688Z", + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "30953", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "87.249.215.83" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44289, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "87.249.215.83" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "vdsHU2cBTFzn_XoLOZig", + "source": { + "@timestamp": "2018-11-27T02:37:20.688Z", + "source": { + "ip": "87.249.215.83" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "87.249.215.83", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + }, + "sequence": 44290, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30953" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "vtsHU2cBTFzn_XoLOZig", + "source": { + "@timestamp": "2018-11-27T02:37:20.864Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "30953", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "87.249.215.83" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "87.249.215.83" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "87.249.215.83" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44291, + "result": "fail" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "MtsEU2cBTFzn_XoLzWOC", + "source": { + "@timestamp": "2018-11-27T02:34:41.940Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "30892", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "175.116.217.13" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "175.116.217.13", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44279, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "M9sEU2cBTFzn_XoLzWOC", + "source": { + "@timestamp": "2018-11-27T02:34:41.944Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "30892", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "175.116.217.13" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "sshd", + "secondary": "175.116.217.13", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 44280, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NNsEU2cBTFzn_XoLzWOC", + "source": { + "@timestamp": "2018-11-27T02:34:42.116Z", + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "175.116.217.13" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "175.116.217.13", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 44281, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "30892", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "175.116.217.13" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "59sHU2cBTFzn_XoLBZOc", + "source": { + "@timestamp": "2018-11-27T02:37:07.375Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "30947", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "45.55.190.46" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "45.55.190.46" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44286 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6NsHU2cBTFzn_XoLBZOc", + "source": { + "@timestamp": "2018-11-27T02:37:07.375Z", + "auditd": { + "sequence": 44287, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "45.55.190.46", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "30947", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "45.55.190.46" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6dsHU2cBTFzn_XoLBZOc", + "source": { + "@timestamp": "2018-11-27T02:37:07.407Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "45.55.190.46" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "45.55.190.46", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "45.55.190.46", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44288 + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "30947", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Y9sGU2cBTFzn_XoL6ZGy", + "source": { + "@timestamp": "2018-11-27T02:37:00.227Z", + "source": { + "ip": "103.48.12.177" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44285, + "result": "fail", + "session": "unset", + "data": { + "hostname": "103.48.12.177", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "103.48.12.177" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "30943", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JNsJU2cBTFzn_XoLCcBJ", + "source": { + "@timestamp": "2018-11-27T02:39:19.382Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "object": { + "secondary": "167.99.84.229", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 43278, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "13175", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "167.99.84.229" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JdsJU2cBTFzn_XoLCcBJ", + "source": { + "@timestamp": "2018-11-27T02:39:19.386Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13175" + }, + "source": { + "ip": "167.99.84.229" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43279, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "167.99.84.229", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JtsJU2cBTFzn_XoLCcBJ", + "source": { + "@timestamp": "2018-11-27T02:39:19.486Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13175" + }, + "source": { + "ip": "167.99.84.229" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "167.99.84.229", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "167.99.84.229", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 43280, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "J9sJU2cBTFzn_XoLCcCX", + "source": { + "@timestamp": "2018-11-27T02:39:19.468Z", + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "89.223.28.0", + "type": "user-session" + } + }, + "sequence": 184454, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "26405", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "89.223.28.0" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KNsJU2cBTFzn_XoLCcCX", + "source": { + "@timestamp": "2018-11-27T02:39:19.469Z", + "source": { + "ip": "89.223.28.0" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "89.223.28.0", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184455 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26405", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KdsJU2cBTFzn_XoLCcCX", + "source": { + "@timestamp": "2018-11-27T02:39:19.630Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "26405" + }, + "source": { + "ip": "89.223.28.0" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "89.223.28.0", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "89.223.28.0", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184456, + "result": "fail" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7dsJU2cBTFzn_XoLVsZ3", + "source": { + "@timestamp": "2018-11-27T02:39:39.149Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "188.166.58.40", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192640, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "pid": "1141", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "188.166.58.40" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7tsJU2cBTFzn_XoLVsZ3", + "source": { + "@timestamp": "2018-11-27T02:39:39.150Z", + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "188.166.58.40", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192641, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1141", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "188.166.58.40" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "79sJU2cBTFzn_XoLVsZ3", + "source": { + "@timestamp": "2018-11-27T02:39:39.256Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "1141" + }, + "source": { + "ip": "188.166.58.40" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "188.166.58.40", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "188.166.58.40", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192642 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KtsJU2cBTFzn_XoLWMfm", + "source": { + "@timestamp": "2018-11-27T02:39:39.771Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "139.59.171.172", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44295 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "31024", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "139.59.171.172" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "K9sJU2cBTFzn_XoLWMfm", + "source": { + "@timestamp": "2018-11-27T02:39:39.771Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31024", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "139.59.171.172" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "139.59.171.172" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 44296, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "LNsJU2cBTFzn_XoLWMfm", + "source": { + "@timestamp": "2018-11-27T02:39:39.863Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "31024", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "139.59.171.172" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "139.59.171.172", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "139.59.171.172" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 44297, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HNsIU2cBTFzn_XoLc7MQ", + "source": { + "@timestamp": "2018-11-27T02:38:40.934Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "1086" + }, + "source": { + "ip": "139.99.168.192" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "139.99.168.192", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192628, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HdsIU2cBTFzn_XoLc7MQ", + "source": { + "@timestamp": "2018-11-27T02:38:40.935Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "pid": "1086", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "139.99.168.192" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "139.99.168.192" + } + }, + "sequence": 192629, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HtsIU2cBTFzn_XoLc7MQ", + "source": { + "@timestamp": "2018-11-27T02:38:41.215Z", + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "139.99.168.192", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "139.99.168.192", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192630, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "1086", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "139.99.168.192" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "nNsJU2cBTFzn_XoLTcVS", + "source": { + "@timestamp": "2018-11-27T02:39:36.808Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "1139", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "52.60.179.151" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "52.60.179.151", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192637, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ndsJU2cBTFzn_XoLTcVS", + "source": { + "@timestamp": "2018-11-27T02:39:36.809Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "52.60.179.151", + "type": "user-session" + } + }, + "sequence": 192638, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "1139", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "52.60.179.151" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ntsJU2cBTFzn_XoLTcVS", + "source": { + "@timestamp": "2018-11-27T02:39:36.855Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "52.60.179.151" + }, + "summary": { + "object": { + "secondary": "52.60.179.151", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 192639, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "1139", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "52.60.179.151" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sNsHU2cBTFzn_XoLr6LF", + "source": { + "@timestamp": "2018-11-27T02:37:50.939Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1076", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.187.114.136" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "37.187.114.136", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 192622 + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sdsHU2cBTFzn_XoLr6LF", + "source": { + "@timestamp": "2018-11-27T02:37:50.940Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "37.187.114.136", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192623 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1076", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.187.114.136" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "stsHU2cBTFzn_XoLr6LF", + "source": { + "@timestamp": "2018-11-27T02:37:51.046Z", + "auditd": { + "sequence": 192624, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "37.187.114.136", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "37.187.114.136" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "1076", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.187.114.136" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "M9sIU2cBTFzn_XoLPq6w", + "source": { + "@timestamp": "2018-11-27T02:38:27.526Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "1084", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "85.214.81.104" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "85.214.81.104", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192625, + "result": "fail" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NNsIU2cBTFzn_XoLPq6w", + "source": { + "@timestamp": "2018-11-27T02:38:27.527Z", + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "85.214.81.104" + } + }, + "sequence": 192626, + "result": "fail" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1084", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "85.214.81.104" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NdsIU2cBTFzn_XoLPq6w", + "source": { + "@timestamp": "2018-11-27T02:38:27.644Z", + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "1084" + }, + "source": { + "ip": "85.214.81.104" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "85.214.81.104", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "85.214.81.104", + "type": "user-session", + "primary": "ssh" + } + }, + "sequence": 192627, + "result": "fail" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "N9sJU2cBTFzn_XoLm8zp", + "source": { + "@timestamp": "2018-11-27T02:39:56.927Z", + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "13.66.193.177", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186633, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "process": { + "pid": "32736", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "13.66.193.177" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ONsJU2cBTFzn_XoLm8zp", + "source": { + "@timestamp": "2018-11-27T02:39:56.928Z", + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "13.66.193.177", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186634, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32736", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "13.66.193.177" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "OdsJU2cBTFzn_XoLm8zp", + "source": { + "@timestamp": "2018-11-27T02:39:56.989Z", + "source": { + "ip": "13.66.193.177" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186635, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "13.66.193.177" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "13.66.193.177" + } + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "process": { + "pid": "32736", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "btsHU2cBTFzn_XoLaZwR", + "source": { + "@timestamp": "2018-11-27T02:37:32.833Z", + "source": { + "ip": "36.67.135.42" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "36.67.135.42", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44292 + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30958" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "b9sHU2cBTFzn_XoLaZwR", + "source": { + "@timestamp": "2018-11-27T02:37:32.837Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30958" + }, + "source": { + "ip": "36.67.135.42" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "36.67.135.42", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44293 + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cNsHU2cBTFzn_XoLaZwR", + "source": { + "@timestamp": "2018-11-27T02:37:33.045Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44294, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "36.67.135.42", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "36.67.135.42", + "type": "user-session" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "30958", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "36.67.135.42" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XNsIU2cBTFzn_XoLwbmn", + "source": { + "@timestamp": "2018-11-27T02:39:01.052Z", + "auditd": { + "result": "success", + "session": "unset", + "data": { + "op": "PAM:accounting", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184448 + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_acct", + "action": "was-authorized", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "26360", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XdsIU2cBTFzn_XoLwbmn", + "source": { + "@timestamp": "2018-11-27T02:39:01.052Z", + "process": { + "pid": "26360", + "exe": "/usr/sbin/cron" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:setcred" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + }, + "sequence": 184449, + "result": "success" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XtsIU2cBTFzn_XoLwbmn", + "source": { + "@timestamp": "2018-11-27T02:39:01.054Z", + "process": { + "pid": "26360", + "exe": "/usr/sbin/cron" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "data": { + "op": "PAM:session_open", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + }, + "sequence": 184451, + "result": "success", + "session": "9862" + }, + "event": { + "type": "user_start", + "action": "started-session", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "X9sIU2cBTFzn_XoLwbmn", + "source": { + "@timestamp": "2018-11-27T02:39:01.154Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "pid": "26360", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "9862", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:setcred" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184452, + "result": "success" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YNsIU2cBTFzn_XoLwbmn", + "source": { + "@timestamp": "2018-11-27T02:39:01.156Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_end", + "action": "ended-session" + }, + "user": { + "auid": "0", + "name_map": { + "uid": "root", + "auid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "26360", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "acct": "root", + "op": "PAM:session_close", + "terminal": "cron" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + } + }, + "sequence": 184453, + "result": "success", + "session": "9862" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "c9sIU2cBTFzn_XoLwrlb", + "source": { + "@timestamp": "2018-11-27T02:39:01.233Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_acct", + "action": "was-authorized" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "1088", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 192631, + "result": "success", + "session": "unset", + "data": { + "terminal": "cron", + "op": "PAM:accounting", + "acct": "root" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dNsIU2cBTFzn_XoLwrlb", + "source": { + "@timestamp": "2018-11-27T02:39:01.234Z", + "event": { + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "process": { + "pid": "1088", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 192632, + "result": "success", + "session": "unset", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:setcred" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ddsIU2cBTFzn_XoLwrlb", + "source": { + "@timestamp": "2018-11-27T02:39:01.235Z", + "user": { + "auid": "0", + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "pid": "1088", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "9866", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:session_open" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 192634, + "result": "success" + }, + "event": { + "action": "started-session", + "module": "auditd", + "category": "user-login", + "type": "user_start" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dtsIU2cBTFzn_XoLwrlb", + "source": { + "@timestamp": "2018-11-27T02:39:01.327Z", + "user": { + "auid": "0", + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "1088" + }, + "auditd": { + "session": "9866", + "data": { + "op": "PAM:setcred", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + } + }, + "sequence": 192635, + "result": "success" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "d9sIU2cBTFzn_XoLwrlb", + "source": { + "@timestamp": "2018-11-27T02:39:01.327Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "session": "9866", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:session_close" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 192636, + "result": "success" + }, + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "1088", + "exe": "/usr/sbin/cron" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ndwMU2cBTFzn_XoLNAWN", + "source": { + "@timestamp": "2018-11-27T02:42:47.067Z", + "source": { + "ip": "107.170.76.170" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "107.170.76.170", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 43284, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "13197", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ntwMU2cBTFzn_XoLNAWN", + "source": { + "@timestamp": "2018-11-27T02:42:47.071Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "13197", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "107.170.76.170" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.76.170", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43285, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "n9wMU2cBTFzn_XoLNAWN", + "source": { + "@timestamp": "2018-11-27T02:42:47.107Z", + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.76.170", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "107.170.76.170", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43286, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13197" + }, + "source": { + "ip": "107.170.76.170" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8NwMU2cBTFzn_XoLOwZZ", + "source": { + "@timestamp": "2018-11-27T02:42:48.812Z", + "event": { + "category": "configuration", + "type": "netfilter_cfg", + "action": "loaded-firewall-rule-to", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "sgid": "0", + "name_map": { + "egid": "root", + "euid": "root", + "fsgid": "root", + "fsuid": "root", + "gid": "root", + "sgid": "root", + "suid": "root", + "uid": "root" + }, + "gid": "0", + "suid": "0", + "fsuid": "0", + "egid": "0", + "uid": "0", + "auid": "unset", + "euid": "0", + "fsgid": "0" + }, + "process": { + "exe": "/sbin/xtables-multi", + "pid": "13199", + "ppid": "1379", + "title": "/sbin/iptables -w -D sshguard -s 147.135.208.7 -j DROP", + "name": "iptables" + }, + "auditd": { + "data": { + "table": "filter", + "tty": "(none)", + "family": "2", + "a1": "0", + "exit": "0", + "a3": "1666870", + "syscall": "setsockopt", + "a2": "40", + "arch": "x86_64", + "a0": "5", + "entries": "155" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "firewall", + "primary": "filter" + }, + "how": "/sbin/xtables-multi" + }, + "sequence": 43287, + "result": "success", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WdwMU2cBTFzn_XoLRgdH", + "source": { + "@timestamp": "2018-11-27T02:42:51.613Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "84.19.176.196", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184460 + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26436", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "84.19.176.196" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WtwMU2cBTFzn_XoLRgdH", + "source": { + "@timestamp": "2018-11-27T02:42:51.614Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "26436", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "84.19.176.196" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184461, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "84.19.176.196", + "type": "user-session" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "W9wMU2cBTFzn_XoLRgdH", + "source": { + "@timestamp": "2018-11-27T02:42:51.728Z", + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "84.19.176.196" + } + }, + "sequence": 184462, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "84.19.176.196" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "26436", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "84.19.176.196" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rdwMU2cBTFzn_XoLSQex", + "source": { + "@timestamp": "2018-11-27T02:42:52.477Z", + "process": { + "pid": "20119", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "58.97.13.206" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "58.97.13.206" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142443, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rtwMU2cBTFzn_XoLSQex", + "source": { + "@timestamp": "2018-11-27T02:42:52.479Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "20119", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "58.97.13.206" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "58.97.13.206", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142444, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "r9wMU2cBTFzn_XoLSQex", + "source": { + "@timestamp": "2018-11-27T02:42:52.702Z", + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "58.97.13.206", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "58.97.13.206", + "type": "user-session" + } + }, + "sequence": 142445, + "result": "fail", + "session": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "20119", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "58.97.13.206" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qdwMU2cBTFzn_XoLVwgF", + "source": { + "@timestamp": "2018-11-27T02:42:55.899Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "45.55.239.241", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 142446 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "20121", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "45.55.239.241" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qtwMU2cBTFzn_XoLVwgF", + "source": { + "@timestamp": "2018-11-27T02:42:55.899Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "20121", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "45.55.239.241" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "45.55.239.241", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 142447 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "q9wMU2cBTFzn_XoLVwgF", + "source": { + "@timestamp": "2018-11-27T02:42:55.930Z", + "source": { + "ip": "45.55.239.241" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "45.55.239.241" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "45.55.239.241", + "type": "user-session" + } + }, + "sequence": 142448, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "20121" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JdsLU2cBTFzn_XoLffYn", + "source": { + "@timestamp": "2018-11-27T02:42:00.124Z", + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "104.131.124.166", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184457, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "26431", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.131.124.166" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JtsLU2cBTFzn_XoLffYn", + "source": { + "@timestamp": "2018-11-27T02:42:00.125Z", + "process": { + "pid": "26431", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.131.124.166" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184458, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "104.131.124.166", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "J9sLU2cBTFzn_XoLffYn", + "source": { + "@timestamp": "2018-11-27T02:42:00.158Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "26431" + }, + "source": { + "ip": "104.131.124.166" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184459, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "104.131.124.166", + "terminal": "ssh" + }, + "summary": { + "object": { + "secondary": "104.131.124.166", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CNwMU2cBTFzn_XoLDAJ2", + "source": { + "@timestamp": "2018-11-27T02:42:36.811Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "20117", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "202.28.34.200" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "202.28.34.200" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142440, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CdwMU2cBTFzn_XoLDAJ2", + "source": { + "@timestamp": "2018-11-27T02:42:36.812Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "20117", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "202.28.34.200" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "202.28.34.200", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 142441 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CtwMU2cBTFzn_XoLDAJ2", + "source": { + "@timestamp": "2018-11-27T02:42:37.043Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "20117", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "202.28.34.200" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "202.28.34.200", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142442, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "202.28.34.200", + "op": "PAM:bad_ident" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QtwMU2cBTFzn_XoLKwWd", + "source": { + "@timestamp": "2018-11-27T02:42:44.787Z", + "source": { + "ip": "103.249.205.78" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186639, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "103.249.205.78" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32752" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Q9wMU2cBTFzn_XoLKwWd", + "source": { + "@timestamp": "2018-11-27T02:42:44.788Z", + "source": { + "ip": "103.249.205.78" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "103.249.205.78", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186640 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32752", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "RNwMU2cBTFzn_XoLKwWd", + "source": { + "@timestamp": "2018-11-27T02:42:45.017Z", + "auditd": { + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "103.249.205.78", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186641, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "103.249.205.78" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32752", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "103.249.205.78" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "btsKU2cBTFzn_XoL6ul0", + "source": { + "@timestamp": "2018-11-27T02:41:22.569Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "1149" + }, + "source": { + "ip": "149.56.15.98" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "149.56.15.98", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192643, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "b9sKU2cBTFzn_XoL6ul0", + "source": { + "@timestamp": "2018-11-27T02:41:22.571Z", + "source": { + "ip": "149.56.15.98" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192644, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "secondary": "149.56.15.98", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "pid": "1149", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cNsKU2cBTFzn_XoL6ul0", + "source": { + "@timestamp": "2018-11-27T02:41:22.613Z", + "source": { + "ip": "149.56.15.98" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192645, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "149.56.15.98" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "149.56.15.98", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "pid": "1149", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "99sKU2cBTFzn_XoLJtjT", + "source": { + "@timestamp": "2018-11-27T02:40:32.489Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32738" + }, + "source": { + "ip": "37.59.183.21" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "37.59.183.21", + "type": "user-session" + } + }, + "sequence": 186636 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-NsKU2cBTFzn_XoLJtjT", + "source": { + "@timestamp": "2018-11-27T02:40:32.490Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32738", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.59.183.21" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186637, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "37.59.183.21" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-dsKU2cBTFzn_XoLJtjT", + "source": { + "@timestamp": "2018-11-27T02:40:32.600Z", + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "37.59.183.21", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186638, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "37.59.183.21" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32738", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.59.183.21" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6dsKU2cBTFzn_XoLCtYx", + "source": { + "@timestamp": "2018-11-27T02:40:25.154Z", + "process": { + "pid": "31052", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.248.237.238" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "104.248.237.238" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44298, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6tsKU2cBTFzn_XoLCtYx", + "source": { + "@timestamp": "2018-11-27T02:40:25.158Z", + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31052", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.248.237.238" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "104.248.237.238", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44299, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "69sKU2cBTFzn_XoLCtYx", + "source": { + "@timestamp": "2018-11-27T02:40:25.190Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31052" + }, + "source": { + "ip": "104.248.237.238" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "104.248.237.238" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44300, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "104.248.237.238", + "terminal": "ssh" + } + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TtsKU2cBTFzn_XoLcN9z", + "source": { + "@timestamp": "2018-11-27T02:40:51.334Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "13183", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "191.255.248.91" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "191.255.248.91" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43281 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "T9sKU2cBTFzn_XoLcN9z", + "source": { + "@timestamp": "2018-11-27T02:40:51.334Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "secondary": "191.255.248.91", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 43282 + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13183" + }, + "source": { + "ip": "191.255.248.91" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "UNsKU2cBTFzn_XoLcN9z", + "source": { + "@timestamp": "2018-11-27T02:40:51.490Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "13183", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "191.255.248.91" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43283, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "191.255.248.91" + }, + "summary": { + "object": { + "secondary": "191.255.248.91", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "O90YU2cBTFzn_XoLthfG", + "source": { + "@timestamp": "2018-11-27T02:56:26.843Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "212.46.209.158", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192667 + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "1253" + }, + "source": { + "ip": "212.46.209.158" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "PN0YU2cBTFzn_XoLthfG", + "source": { + "@timestamp": "2018-11-27T02:56:26.844Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "212.46.209.158", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192668, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "1253", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "212.46.209.158" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Pd0YU2cBTFzn_XoLthfG", + "source": { + "@timestamp": "2018-11-27T02:56:27.038Z", + "source": { + "ip": "212.46.209.158" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "212.46.209.158", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192669, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "212.46.209.158" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "1253" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Wd0YU2cBTFzn_XoLuRey", + "source": { + "@timestamp": "2018-11-27T02:56:27.592Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "20207", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "212.89.171.146" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "212.89.171.146", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142463, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Wt0YU2cBTFzn_XoLuRey", + "source": { + "@timestamp": "2018-11-27T02:56:27.593Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "212.89.171.146", + "type": "user-session" + } + }, + "sequence": 142464 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "20207", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "212.89.171.146" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "W90YU2cBTFzn_XoLuRey", + "source": { + "@timestamp": "2018-11-27T02:56:27.731Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "20207" + }, + "source": { + "ip": "212.89.171.146" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142465, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "212.89.171.146" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "212.89.171.146", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "UN0ZU2cBTFzn_XoLKSHH", + "source": { + "@timestamp": "2018-11-27T02:56:56.285Z", + "auditd": { + "sequence": 184490, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "193.70.85.206", + "type": "user-session" + } + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26545", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "193.70.85.206" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Ud0ZU2cBTFzn_XoLKSHH", + "source": { + "@timestamp": "2018-11-27T02:56:56.286Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "193.70.85.206" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184491, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "26545", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "193.70.85.206" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Ut0ZU2cBTFzn_XoLKSHH", + "source": { + "@timestamp": "2018-11-27T02:56:56.392Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "26545", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "193.70.85.206" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184492, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "193.70.85.206", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "secondary": "193.70.85.206", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0t0ZU2cBTFzn_XoL6TKj", + "source": { + "@timestamp": "2018-11-27T02:57:45.401Z", + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "26553", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "89.36.221.229" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "89.36.221.229", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184493, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "090ZU2cBTFzn_XoL6TKj", + "source": { + "@timestamp": "2018-11-27T02:57:45.402Z", + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "89.36.221.229", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + }, + "sequence": 184494, + "result": "fail" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "26553", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "89.36.221.229" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "1N0ZU2cBTFzn_XoL6TKj", + "source": { + "@timestamp": "2018-11-27T02:57:45.502Z", + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "26553", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "89.36.221.229" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184495, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "89.36.221.229" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "89.36.221.229", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "f90YU2cBTFzn_XoL-B3u", + "source": { + "@timestamp": "2018-11-27T02:56:43.779Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "26542", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "138.68.111.27" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "138.68.111.27", + "type": "user-session" + } + }, + "sequence": 184487, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gN0YU2cBTFzn_XoL-B3u", + "source": { + "@timestamp": "2018-11-27T02:56:43.781Z", + "auditd": { + "sequence": 184488, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "138.68.111.27", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "26542", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "138.68.111.27" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gd0YU2cBTFzn_XoL-B3u", + "source": { + "@timestamp": "2018-11-27T02:56:43.889Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184489, + "result": "fail", + "session": "unset", + "data": { + "hostname": "138.68.111.27", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "138.68.111.27", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "26542", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "138.68.111.27" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YN0ZU2cBTFzn_XoLMCE9", + "source": { + "@timestamp": "2018-11-27T02:56:57.939Z", + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "5.39.77.167", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192670, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "1261" + }, + "source": { + "ip": "5.39.77.167" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Yd0ZU2cBTFzn_XoLMCE9", + "source": { + "@timestamp": "2018-11-27T02:56:57.940Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "5.39.77.167", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 192671, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "1261" + }, + "source": { + "ip": "5.39.77.167" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Yt0ZU2cBTFzn_XoLMCE9", + "source": { + "@timestamp": "2018-11-27T02:56:58.047Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192672, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "5.39.77.167", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "5.39.77.167", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1261", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "5.39.77.167" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "yN0YU2cBTFzn_XoLnBVF", + "source": { + "@timestamp": "2018-11-27T02:56:20.058Z", + "source": { + "ip": "189.16.195.18" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "189.16.195.18" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192664 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "pid": "1251", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "yd0YU2cBTFzn_XoLnBVF", + "source": { + "@timestamp": "2018-11-27T02:56:20.060Z", + "process": { + "pid": "1251", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "189.16.195.18" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "189.16.195.18", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192665, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "yt0YU2cBTFzn_XoLnBVF", + "source": { + "@timestamp": "2018-11-27T02:56:20.223Z", + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "1251" + }, + "source": { + "ip": "189.16.195.18" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192666, + "result": "fail", + "session": "unset", + "data": { + "hostname": "189.16.195.18", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "189.16.195.18", + "type": "user-session" + } + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ld0YU2cBTFzn_XoL6hym", + "source": { + "@timestamp": "2018-11-27T02:56:40.122Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "157.100.133.21", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43303, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "13281", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "157.100.133.21" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "lt0YU2cBTFzn_XoL6hym", + "source": { + "@timestamp": "2018-11-27T02:56:40.122Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "13281", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "157.100.133.21" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "157.100.133.21", + "type": "user-session" + } + }, + "sequence": 43304, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "l90YU2cBTFzn_XoL6hym", + "source": { + "@timestamp": "2018-11-27T02:56:40.242Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "157.100.133.21", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43305, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "157.100.133.21" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "13281", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "157.100.133.21" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "wt0ZU2cBTFzn_XoLqiw3", + "source": { + "@timestamp": "2018-11-27T02:57:29.161Z", + "source": { + "ip": "37.59.62.23" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "37.59.62.23", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 44318 + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "31535", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "w90ZU2cBTFzn_XoLqiw3", + "source": { + "@timestamp": "2018-11-27T02:57:29.161Z", + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31535", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.59.62.23" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "37.59.62.23", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44319 + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xN0ZU2cBTFzn_XoLqiw3", + "source": { + "@timestamp": "2018-11-27T02:57:29.269Z", + "source": { + "ip": "37.59.62.23" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "37.59.62.23", + "type": "user-session", + "primary": "ssh" + } + }, + "sequence": 44320, + "result": "fail", + "session": "unset", + "data": { + "hostname": "37.59.62.23", + "op": "PAM:bad_ident", + "terminal": "ssh" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31535", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Ld0ZU2cBTFzn_XoLxC9z", + "source": { + "@timestamp": "2018-11-27T02:57:35.874Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "summary": { + "how": "/lib/systemd/systemd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "apt-daily", + "type": "service" + } + }, + "sequence": 43306, + "result": "success", + "session": "unset", + "data": { + "unit": "apt-daily" + } + }, + "event": { + "category": "system-services", + "type": "service_start", + "action": "started-service", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "1", + "name": "systemd", + "exe": "/lib/systemd/systemd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Lt0ZU2cBTFzn_XoLxC9z", + "source": { + "@timestamp": "2018-11-27T02:57:35.874Z", + "event": { + "category": "system-services", + "type": "service_stop", + "action": "stopped-service", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1", + "name": "systemd", + "exe": "/lib/systemd/systemd" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "apt-daily", + "type": "service" + }, + "how": "/lib/systemd/systemd" + }, + "sequence": 43307, + "result": "success", + "session": "unset", + "data": { + "unit": "apt-daily" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "p893UmcBTFzn_XoLs0bb", + "source": { + "@timestamp": "2018-11-27T00:00:34.801Z", + "process": { + "pid": "19147", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "200.35.110.58" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "200.35.110.58", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142246, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qM93UmcBTFzn_XoLs0bb", + "source": { + "@timestamp": "2018-11-27T00:00:34.802Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "200.35.110.58", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142247, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19147", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "200.35.110.58" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qc93UmcBTFzn_XoLs0bb", + "source": { + "@timestamp": "2018-11-27T00:00:34.906Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "200.35.110.58" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142248, + "result": "fail", + "session": "unset", + "data": { + "hostname": "200.35.110.58", + "op": "PAM:bad_ident", + "terminal": "ssh" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19147", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "200.35.110.58" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Lc97UmcBTFzn_XoLKpLT", + "source": { + "@timestamp": "2018-11-27T00:04:21.865Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31749" + }, + "source": { + "ip": "164.132.112.233" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "164.132.112.233", + "type": "user-session" + } + }, + "sequence": 186182, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Ls97UmcBTFzn_XoLKpLT", + "source": { + "@timestamp": "2018-11-27T00:04:21.866Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "31749", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "164.132.112.233" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186183, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "164.132.112.233", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "L897UmcBTFzn_XoLKpLT", + "source": { + "@timestamp": "2018-11-27T00:04:21.973Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "164.132.112.233" + } + }, + "sequence": 186184, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "164.132.112.233", + "terminal": "ssh" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31749" + }, + "source": { + "ip": "164.132.112.233" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "o894UmcBTFzn_XoLA00h", + "source": { + "@timestamp": "2018-11-27T00:00:55.095Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "139.198.120.32", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192390, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31971", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "139.198.120.32" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "pM94UmcBTFzn_XoLA00h", + "source": { + "@timestamp": "2018-11-27T00:00:55.096Z", + "auditd": { + "sequence": 192391, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "139.198.120.32", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31971" + }, + "source": { + "ip": "139.198.120.32" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "pc94UmcBTFzn_XoLA00h", + "source": { + "@timestamp": "2018-11-27T00:00:55.269Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "pid": "31971", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "139.198.120.32" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "139.198.120.32" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "139.198.120.32", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192392 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "eM95UmcBTFzn_XoLP2hD", + "source": { + "@timestamp": "2018-11-27T00:02:15.998Z", + "source": { + "ip": "106.12.29.232" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192393, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "106.12.29.232", + "type": "user-session" + } + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "31979", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ec95UmcBTFzn_XoLP2hD", + "source": { + "@timestamp": "2018-11-27T00:02:15.999Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31979" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "106.12.29.232" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "106.12.29.232", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192394 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "es95UmcBTFzn_XoLP2hD", + "source": { + "@timestamp": "2018-11-27T00:02:16.292Z", + "source": { + "ip": "106.12.29.232" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "106.12.29.232" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "106.12.29.232", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 192395 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31979", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "PM99UmcBTFzn_XoLjscA", + "source": { + "@timestamp": "2018-11-27T00:06:58.326Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "54.37.154.254", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186188, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31766", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "54.37.154.254" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Pc99UmcBTFzn_XoLjscA", + "source": { + "@timestamp": "2018-11-27T00:06:58.327Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31766", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "54.37.154.254" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "54.37.154.254", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186189 + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Ps99UmcBTFzn_XoLjscA", + "source": { + "@timestamp": "2018-11-27T00:06:58.438Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "54.37.154.254" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "54.37.154.254" + } + }, + "sequence": 186190 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31766", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "54.37.154.254" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cM95UmcBTFzn_XoLKGaD", + "source": { + "@timestamp": "2018-11-27T00:02:10.186Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31740", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "211.24.100.205" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186179, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "211.24.100.205", + "type": "user-session" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cc95UmcBTFzn_XoLKGaD", + "source": { + "@timestamp": "2018-11-27T00:02:10.188Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "31740", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "211.24.100.205" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "211.24.100.205", + "type": "user-session" + } + }, + "sequence": 186180, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + } + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cs95UmcBTFzn_XoLKGaD", + "source": { + "@timestamp": "2018-11-27T00:02:10.392Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31740", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "211.24.100.205" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "211.24.100.205", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186181, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "211.24.100.205" + } + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "hs93UmcBTFzn_XoLcEF7", + "source": { + "@timestamp": "2018-11-27T00:00:17.552Z", + "source": { + "ip": "142.93.210.90" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "142.93.210.90" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192387, + "result": "fail", + "session": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31968", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "h893UmcBTFzn_XoLcEF7", + "source": { + "@timestamp": "2018-11-27T00:00:17.552Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31968" + }, + "source": { + "ip": "142.93.210.90" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192388, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "142.93.210.90", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "iM93UmcBTFzn_XoLcEF7", + "source": { + "@timestamp": "2018-11-27T00:00:17.784Z", + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31968" + }, + "source": { + "ip": "142.93.210.90" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "142.93.210.90" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192389, + "result": "fail", + "session": "unset", + "data": { + "hostname": "142.93.210.90", + "op": "PAM:bad_ident", + "terminal": "ssh" + } + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "k899UmcBTFzn_XoL6M7W", + "source": { + "@timestamp": "2018-11-27T00:07:21.573Z", + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "27895", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "174.50.26.154" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "174.50.26.154", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + }, + "sequence": 44073, + "result": "fail" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "lM99UmcBTFzn_XoL6M7W", + "source": { + "@timestamp": "2018-11-27T00:07:21.577Z", + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "174.50.26.154", + "type": "user-session" + } + }, + "sequence": 44074, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "27895", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "174.50.26.154" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "lc99UmcBTFzn_XoL6M7W", + "source": { + "@timestamp": "2018-11-27T00:07:21.673Z", + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "27895" + }, + "source": { + "ip": "174.50.26.154" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44075, + "result": "fail", + "session": "unset", + "data": { + "hostname": "174.50.26.154", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "174.50.26.154", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "aM97UmcBTFzn_XoL4qJ8", + "source": { + "@timestamp": "2018-11-27T00:05:08.881Z", + "process": { + "pid": "31758", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.38.82.60" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "51.38.82.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186185 + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ac97UmcBTFzn_XoL4qJ8", + "source": { + "@timestamp": "2018-11-27T00:05:08.882Z", + "source": { + "ip": "51.38.82.60" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186186, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "51.38.82.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31758", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "as97UmcBTFzn_XoL4qJ8", + "source": { + "@timestamp": "2018-11-27T00:05:08.989Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31758", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.38.82.60" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186187, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "51.38.82.60" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "51.38.82.60" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "4M99UmcBTFzn_XoLtco1", + "source": { + "@timestamp": "2018-11-27T00:07:08.363Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "31768", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.101.26.63" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "46.101.26.63", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186191 + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "4c99UmcBTFzn_XoLtco1", + "source": { + "@timestamp": "2018-11-27T00:07:08.364Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31768", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.101.26.63" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "46.101.26.63", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186192, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "4s99UmcBTFzn_XoLtco1", + "source": { + "@timestamp": "2018-11-27T00:07:08.463Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31768", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.101.26.63" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186193, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "46.101.26.63" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "46.101.26.63" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_NCBUmcBTFzn_XoLzSMR", + "source": { + "@timestamp": "2018-11-27T00:11:36.615Z", + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "86.96.203.107", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186212 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31802", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "86.96.203.107" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_dCBUmcBTFzn_XoLzSMR", + "source": { + "@timestamp": "2018-11-27T00:11:36.616Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31802", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "86.96.203.107" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "86.96.203.107", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186213, + "result": "fail", + "session": "unset" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_tCBUmcBTFzn_XoLzSMR", + "source": { + "@timestamp": "2018-11-27T00:11:36.828Z", + "source": { + "ip": "86.96.203.107" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "86.96.203.107" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "86.96.203.107", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186214, + "result": "fail", + "session": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31802" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WdCBUmcBTFzn_XoLzyVY", + "source": { + "@timestamp": "2018-11-27T00:11:37.195Z", + "auditd": { + "sequence": 43095, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "104.248.236.32" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12257", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.248.236.32" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WtCBUmcBTFzn_XoLzyVY", + "source": { + "@timestamp": "2018-11-27T00:11:37.195Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "process": { + "pid": "12257", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.248.236.32" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43096, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "104.248.236.32", + "type": "user-session", + "primary": "sshd" + } + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "W9CBUmcBTFzn_XoLzyVY", + "source": { + "@timestamp": "2018-11-27T00:11:37.223Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43097, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "104.248.236.32", + "terminal": "ssh" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "104.248.236.32", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12257", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.248.236.32" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZNCBUmcBTFzn_XoL0yWS", + "source": { + "@timestamp": "2018-11-27T00:11:38.280Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "pid": "32078", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.121.26.184" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "91.121.26.184", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192402 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZdCBUmcBTFzn_XoL0yWS", + "source": { + "@timestamp": "2018-11-27T00:11:38.280Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "91.121.26.184", + "type": "user-session" + } + }, + "sequence": 192403, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32078", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.121.26.184" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZtCBUmcBTFzn_XoL0yWS", + "source": { + "@timestamp": "2018-11-27T00:11:38.388Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32078", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "91.121.26.184" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192404, + "result": "fail", + "session": "unset", + "data": { + "hostname": "91.121.26.184", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "91.121.26.184", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HtCBUmcBTFzn_XoLJBa0", + "source": { + "@timestamp": "2018-11-27T00:10:53.514Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "process": { + "pid": "19210", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "206.189.183.75" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "206.189.183.75" + } + }, + "sequence": 142258, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "H9CBUmcBTFzn_XoLJBa0", + "source": { + "@timestamp": "2018-11-27T00:10:53.515Z", + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "206.189.183.75" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142259, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19210" + }, + "source": { + "ip": "206.189.183.75" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "INCBUmcBTFzn_XoLJBa0", + "source": { + "@timestamp": "2018-11-27T00:10:53.546Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142260, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "206.189.183.75" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "206.189.183.75" + }, + "how": "/usr/sbin/sshd" + } + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19210", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "206.189.183.75" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Z9CCUmcBTFzn_XoL5z0B", + "source": { + "@timestamp": "2018-11-27T00:12:48.790Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19223" + }, + "source": { + "ip": "188.166.213.254" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "188.166.213.254", + "type": "user-session" + } + }, + "sequence": 142261, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "aNCCUmcBTFzn_XoL5z0B", + "source": { + "@timestamp": "2018-11-27T00:12:48.791Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19223", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "188.166.213.254" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142262, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "188.166.213.254", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "adCCUmcBTFzn_XoL5z0B", + "source": { + "@timestamp": "2018-11-27T00:12:48.985Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19223", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "188.166.213.254" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142263, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "188.166.213.254" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "188.166.213.254", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ytCAUmcBTFzn_XoLfAfq", + "source": { + "@timestamp": "2018-11-27T00:10:10.560Z", + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31792", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "123.136.161.146" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "123.136.161.146" + } + }, + "sequence": 186206, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "y9CAUmcBTFzn_XoLfAfq", + "source": { + "@timestamp": "2018-11-27T00:10:10.561Z", + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "123.136.161.146", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186207, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31792", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "123.136.161.146" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "zNCAUmcBTFzn_XoLfAfq", + "source": { + "@timestamp": "2018-11-27T00:10:10.789Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31792", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "123.136.161.146" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "123.136.161.146" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "123.136.161.146" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186208, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-NCBUmcBTFzn_XoLRxhI", + "source": { + "@timestamp": "2018-11-27T00:11:02.367Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "31799", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "103.241.146.65" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186209, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "103.241.146.65", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-dCBUmcBTFzn_XoLRxhI", + "source": { + "@timestamp": "2018-11-27T00:11:02.368Z", + "source": { + "ip": "103.241.146.65" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "103.241.146.65", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186210 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "31799", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-tCBUmcBTFzn_XoLRxhI", + "source": { + "@timestamp": "2018-11-27T00:11:02.619Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "31799", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "103.241.146.65" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186211, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "103.241.146.65", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "103.241.146.65" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "kdCDUmcBTFzn_XoLZUd0", + "source": { + "@timestamp": "2018-11-27T00:13:21.161Z", + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "104.248.159.44", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186218, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "31813", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.248.159.44" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ktCDUmcBTFzn_XoLZUd0", + "source": { + "@timestamp": "2018-11-27T00:13:21.162Z", + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "104.248.159.44", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186219, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31813" + }, + "source": { + "ip": "104.248.159.44" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "k9CDUmcBTFzn_XoLZUd0", + "source": { + "@timestamp": "2018-11-27T00:13:21.355Z", + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "104.248.159.44", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "104.248.159.44", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186220, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "31813", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.248.159.44" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "zdCCUmcBTFzn_XoLfDPd", + "source": { + "@timestamp": "2018-11-27T00:12:21.596Z", + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "46.148.18.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186215, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "31805", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ztCCUmcBTFzn_XoLfDPd", + "source": { + "@timestamp": "2018-11-27T00:12:21.598Z", + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "46.148.18.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186216, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31805" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "z9CCUmcBTFzn_XoLfDPd", + "source": { + "@timestamp": "2018-11-27T00:12:21.740Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186217, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "46.148.18.163", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "46.148.18.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31805", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.148.18.163" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "J9CAUmcBTFzn_XoL2xDJ", + "source": { + "@timestamp": "2018-11-27T00:10:34.814Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "177.206.128.131", + "type": "user-session" + } + }, + "sequence": 43092, + "result": "fail" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "12250", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "177.206.128.131" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KNCAUmcBTFzn_XoL2xDJ", + "source": { + "@timestamp": "2018-11-27T00:10:34.814Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "12250", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "177.206.128.131" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "177.206.128.131", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 43093, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KdCAUmcBTFzn_XoL2xDJ", + "source": { + "@timestamp": "2018-11-27T00:10:35.006Z", + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "12250", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "177.206.128.131" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43094, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "177.206.128.131" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "177.206.128.131", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cdCCUmcBTFzn_XoLBilE", + "source": { + "@timestamp": "2018-11-27T00:11:51.257Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "142.93.109.33" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "142.93.109.33", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43098, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12259", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ctCCUmcBTFzn_XoLBilE", + "source": { + "@timestamp": "2018-11-27T00:11:51.257Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12259", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "142.93.109.33" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "142.93.109.33", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43099, + "result": "fail" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "c9CCUmcBTFzn_XoLBilE", + "source": { + "@timestamp": "2018-11-27T00:11:51.365Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12259", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "142.93.109.33" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "142.93.109.33" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43100, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "142.93.109.33", + "terminal": "ssh" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5NCHUmcBTFzn_XoLiqIH", + "source": { + "@timestamp": "2018-11-27T00:17:52.669Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192414, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "161.132.195.76", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32116", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "161.132.195.76" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5dCHUmcBTFzn_XoLiqIH", + "source": { + "@timestamp": "2018-11-27T00:17:52.670Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32116", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "161.132.195.76" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "161.132.195.76" + } + }, + "sequence": 192415, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5tCHUmcBTFzn_XoLiqIH", + "source": { + "@timestamp": "2018-11-27T00:17:52.776Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32116" + }, + "source": { + "ip": "161.132.195.76" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "summary": { + "object": { + "primary": "ssh", + "secondary": "161.132.195.76", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 192416, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "161.132.195.76", + "terminal": "ssh" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "q9CHUmcBTFzn_XoLj6PQ", + "source": { + "@timestamp": "2018-11-27T00:17:54.150Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31844" + }, + "source": { + "ip": "202.175.83.165" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "202.175.83.165" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186236, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rNCHUmcBTFzn_XoLj6PQ", + "source": { + "@timestamp": "2018-11-27T00:17:54.151Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31844" + }, + "source": { + "ip": "202.175.83.165" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186237, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "202.175.83.165", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rdCHUmcBTFzn_XoLj6PQ", + "source": { + "@timestamp": "2018-11-27T00:17:54.333Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31844" + }, + "source": { + "ip": "202.175.83.165" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186238, + "result": "fail", + "session": "unset", + "data": { + "hostname": "202.175.83.165", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "202.175.83.165", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NNCHUmcBTFzn_XoLkqTG", + "source": { + "@timestamp": "2018-11-27T00:17:54.909Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32118", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "128.199.107.237" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "128.199.107.237", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192417, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NdCHUmcBTFzn_XoLkqTG", + "source": { + "@timestamp": "2018-11-27T00:17:54.910Z", + "source": { + "ip": "128.199.107.237" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "128.199.107.237", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192418, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32118", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NtCHUmcBTFzn_XoLkqTG", + "source": { + "@timestamp": "2018-11-27T00:17:55.100Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "128.199.107.237" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "128.199.107.237", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "128.199.107.237", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192419 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32118", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "P9CHUmcBTFzn_XoLmKRB", + "source": { + "@timestamp": "2018-11-27T00:17:56.311Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "197.149.137.86", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192420, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32120", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "197.149.137.86" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QNCHUmcBTFzn_XoLmKRB", + "source": { + "@timestamp": "2018-11-27T00:17:56.312Z", + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "197.149.137.86", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192421, + "result": "fail" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32120", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "197.149.137.86" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QdCHUmcBTFzn_XoLmKRB", + "source": { + "@timestamp": "2018-11-27T00:17:56.547Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "197.149.137.86", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "197.149.137.86" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192422 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32120" + }, + "source": { + "ip": "197.149.137.86" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "kNCIUmcBTFzn_XoL68Ge", + "source": { + "@timestamp": "2018-11-27T00:19:23.188Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31854" + }, + "source": { + "ip": "165.227.63.250" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "165.227.63.250", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186242, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "kdCIUmcBTFzn_XoL68Ge", + "source": { + "@timestamp": "2018-11-27T00:19:23.189Z", + "process": { + "pid": "31854", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "165.227.63.250" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "165.227.63.250", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186243 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ktCIUmcBTFzn_XoL68Ge", + "source": { + "@timestamp": "2018-11-27T00:19:23.230Z", + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31854", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "165.227.63.250" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "165.227.63.250", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "165.227.63.250", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186244, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7tCIUmcBTFzn_XoL_MPx", + "source": { + "@timestamp": "2018-11-27T00:19:27.623Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "24879" + }, + "source": { + "ip": "185.137.92.168" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "185.137.92.168" + } + }, + "sequence": 184264 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "79CIUmcBTFzn_XoL_MPx", + "source": { + "@timestamp": "2018-11-27T00:19:27.624Z", + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "24879", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.137.92.168" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "185.137.92.168", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184265 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8NCIUmcBTFzn_XoL_MPx", + "source": { + "@timestamp": "2018-11-27T00:19:27.733Z", + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "24879", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.137.92.168" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "185.137.92.168" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "185.137.92.168" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184266, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sdCJUmcBTFzn_XoLMcci", + "source": { + "@timestamp": "2018-11-27T00:19:40.983Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31857", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.58.119.156" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186245, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "185.58.119.156" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "stCJUmcBTFzn_XoLMcci", + "source": { + "@timestamp": "2018-11-27T00:19:40.984Z", + "source": { + "ip": "185.58.119.156" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "185.58.119.156" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186246, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31857", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "s9CJUmcBTFzn_XoLMcci", + "source": { + "@timestamp": "2018-11-27T00:19:41.111Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "31857", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.58.119.156" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186247, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "185.58.119.156", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "185.58.119.156", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "RdCJUmcBTFzn_XoLOcgJ", + "source": { + "@timestamp": "2018-11-27T00:19:43.008Z", + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "201.134.231.33" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186248, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31859", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "201.134.231.33" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "RtCJUmcBTFzn_XoLOcgJ", + "source": { + "@timestamp": "2018-11-27T00:19:43.009Z", + "process": { + "pid": "31859", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "201.134.231.33" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "secondary": "201.134.231.33", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + }, + "sequence": 186249, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "R9CJUmcBTFzn_XoLOcgJ", + "source": { + "@timestamp": "2018-11-27T00:19:43.074Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "201.134.231.33", + "type": "user-session", + "primary": "ssh" + } + }, + "sequence": 186250, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "201.134.231.33", + "terminal": "ssh" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31859", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "201.134.231.33" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rtCGUmcBTFzn_XoL3pS1", + "source": { + "@timestamp": "2018-11-27T00:17:08.809Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32108" + }, + "source": { + "ip": "220.116.47.116" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "220.116.47.116", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192411, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "r9CGUmcBTFzn_XoL3pS1", + "source": { + "@timestamp": "2018-11-27T00:17:08.810Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "220.116.47.116", + "type": "user-session" + } + }, + "sequence": 192412, + "result": "fail", + "session": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32108" + }, + "source": { + "ip": "220.116.47.116" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sNCGUmcBTFzn_XoL3pS1", + "source": { + "@timestamp": "2018-11-27T00:17:08.983Z", + "source": { + "ip": "220.116.47.116" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "220.116.47.116", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "220.116.47.116", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192413, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32108", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rNCIUmcBTFzn_XoLa7Yh", + "source": { + "@timestamp": "2018-11-27T00:18:50.295Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "24869" + }, + "source": { + "ip": "222.117.50.66" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "222.117.50.66" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184258, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rdCIUmcBTFzn_XoLa7Yh", + "source": { + "@timestamp": "2018-11-27T00:18:50.297Z", + "process": { + "pid": "24869", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "222.117.50.66" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "222.117.50.66", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184259 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rtCIUmcBTFzn_XoLa7Yh", + "source": { + "@timestamp": "2018-11-27T00:18:50.462Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "222.117.50.66", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "222.117.50.66", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 184260, + "result": "fail" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "24869", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "222.117.50.66" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SNCIUmcBTFzn_XoLeri8", + "source": { + "@timestamp": "2018-11-27T00:18:54.288Z", + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186239, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "46.148.18.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31851", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SdCIUmcBTFzn_XoLeri8", + "source": { + "@timestamp": "2018-11-27T00:18:54.289Z", + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "auditd": { + "sequence": 186240, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "46.148.18.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31851", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "StCIUmcBTFzn_XoLeri8", + "source": { + "@timestamp": "2018-11-27T00:18:54.436Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31851" + }, + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "46.148.18.163", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "46.148.18.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 186241 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Z9CJUmcBTFzn_XoLDcR_", + "source": { + "@timestamp": "2018-11-27T00:19:31.861Z", + "source": { + "ip": "85.234.34.90" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "85.234.34.90", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 184267, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "24881", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "aNCJUmcBTFzn_XoLDcR_", + "source": { + "@timestamp": "2018-11-27T00:19:31.862Z", + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "85.234.34.90", + "type": "user-session" + } + }, + "sequence": 184268, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "24881" + }, + "source": { + "ip": "85.234.34.90" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "adCJUmcBTFzn_XoLDcR_", + "source": { + "@timestamp": "2018-11-27T00:19:32.020Z", + "source": { + "ip": "85.234.34.90" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "hostname": "85.234.34.90", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "85.234.34.90", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 184269, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "24881" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "OtCIUmcBTFzn_XoL08CH", + "source": { + "@timestamp": "2018-11-27T00:19:17.019Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "24877", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "27.254.90.106" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "27.254.90.106", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184261 + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "O9CIUmcBTFzn_XoL08CH", + "source": { + "@timestamp": "2018-11-27T00:19:17.020Z", + "source": { + "ip": "27.254.90.106" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184262, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "27.254.90.106", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "24877", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "PNCIUmcBTFzn_XoL08CH", + "source": { + "@timestamp": "2018-11-27T00:19:17.244Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "27.254.90.106", + "terminal": "ssh" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "27.254.90.106", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 184263 + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "24877", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "27.254.90.106" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_dCJUmcBTFzn_XoLv9T4", + "source": { + "@timestamp": "2018-11-27T00:20:17.545Z", + "auditd": { + "sequence": 44088, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "87.191.133.16", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "28146", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "87.191.133.16" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_tCJUmcBTFzn_XoLv9T4", + "source": { + "@timestamp": "2018-11-27T00:20:17.545Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "28146" + }, + "source": { + "ip": "87.191.133.16" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "87.191.133.16", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44089, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_9CJUmcBTFzn_XoLv9T4", + "source": { + "@timestamp": "2018-11-27T00:20:17.665Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "87.191.133.16", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "object": { + "secondary": "87.191.133.16", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 44090, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "28146", + "exe": "/usr/sbin/sshd" + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "source": { + "ip": "87.191.133.16" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xtGOUmcBTFzn_XoLCjLw", + "source": { + "@timestamp": "2018-11-27T00:24:58.886Z", + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "24919", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.128.55.52" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184276, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "178.128.55.52", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "x9GOUmcBTFzn_XoLCjLw", + "source": { + "@timestamp": "2018-11-27T00:24:58.888Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "178.128.55.52" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184277, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "178.128.55.52", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "24919", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "yNGOUmcBTFzn_XoLCjLw", + "source": { + "@timestamp": "2018-11-27T00:24:59.080Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "24919", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.128.55.52" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "178.128.55.52", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "178.128.55.52", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184278 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FtGOUmcBTFzn_XoLEzP0", + "source": { + "@timestamp": "2018-11-27T00:25:01.159Z", + "auditd": { + "session": "unset", + "data": { + "acct": "root", + "op": "PAM:accounting", + "terminal": "cron" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 44103, + "result": "success" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "action": "was-authorized", + "module": "auditd", + "category": "user-login", + "type": "user_acct" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "28242", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "F9GOUmcBTFzn_XoLEzP0", + "source": { + "@timestamp": "2018-11-27T00:25:01.159Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "28242", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 44104, + "result": "success", + "session": "unset", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:setcred" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron" + } + }, + "event": { + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GNGOUmcBTFzn_XoLEzP0", + "source": { + "@timestamp": "2018-11-27T00:25:01.159Z", + "process": { + "pid": "28242", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 44106, + "result": "success", + "session": "1443", + "data": { + "op": "PAM:session_open", + "terminal": "cron", + "acct": "root" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_start", + "action": "started-session" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GdGOUmcBTFzn_XoLEzP0", + "source": { + "@timestamp": "2018-11-27T00:25:01.163Z", + "event": { + "type": "cred_disp", + "action": "disposed-credentials", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "0", + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "28242" + }, + "auditd": { + "sequence": 44107, + "result": "success", + "session": "1443", + "data": { + "acct": "root", + "op": "PAM:setcred", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron" + } + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GtGOUmcBTFzn_XoLEzP0", + "source": { + "@timestamp": "2018-11-27T00:25:01.163Z", + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "pid": "28242", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 44108, + "result": "success", + "session": "1443", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:session_close" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + } + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "type": "user_end", + "action": "ended-session", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "y9GOUmcBTFzn_XoLLTXy", + "source": { + "@timestamp": "2018-11-27T00:25:07.848Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "24921" + }, + "source": { + "ip": "78.217.134.141" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "78.217.134.141", + "type": "user-session" + } + }, + "sequence": 184279 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "zNGOUmcBTFzn_XoLLTXy", + "source": { + "@timestamp": "2018-11-27T00:25:07.849Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "24921" + }, + "source": { + "ip": "78.217.134.141" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "78.217.134.141" + } + }, + "sequence": 184280 + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "zdGOUmcBTFzn_XoLLTXy", + "source": { + "@timestamp": "2018-11-27T00:25:07.962Z", + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "24921", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "78.217.134.141" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "78.217.134.141", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "78.217.134.141", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184281, + "result": "fail" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0NGOUmcBTFzn_XoLLjX5", + "source": { + "@timestamp": "2018-11-27T00:25:08.111Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "151.80.144.39", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142273 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "19291", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "151.80.144.39" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0dGOUmcBTFzn_XoLLjX5", + "source": { + "@timestamp": "2018-11-27T00:25:08.112Z", + "process": { + "pid": "19291", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "151.80.144.39" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142274, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "151.80.144.39", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0tGOUmcBTFzn_XoLLjX5", + "source": { + "@timestamp": "2018-11-27T00:25:08.218Z", + "auditd": { + "sequence": 142275, + "result": "fail", + "session": "unset", + "data": { + "hostname": "151.80.144.39", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "151.80.144.39", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19291" + }, + "source": { + "ip": "151.80.144.39" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xNGOUmcBTFzn_XoLYDl2", + "source": { + "@timestamp": "2018-11-27T00:25:20.780Z", + "process": { + "pid": "24924", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.208.143.92" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184282, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "104.208.143.92", + "type": "user-session", + "primary": "sshd" + } + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xdGOUmcBTFzn_XoLYDl2", + "source": { + "@timestamp": "2018-11-27T00:25:20.781Z", + "process": { + "pid": "24924", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.208.143.92" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184283, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "104.208.143.92" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xtGOUmcBTFzn_XoLYDl2", + "source": { + "@timestamp": "2018-11-27T00:25:20.819Z", + "process": { + "pid": "24924", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.208.143.92" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "104.208.143.92", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "104.208.143.92", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 184284, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "nNGPUmcBTFzn_XoLF0mX", + "source": { + "@timestamp": "2018-11-27T00:26:07.661Z", + "source": { + "ip": "197.13.4.211" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "197.13.4.211", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 184285 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "24931", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ndGPUmcBTFzn_XoLF0mX", + "source": { + "@timestamp": "2018-11-27T00:26:07.662Z", + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "197.13.4.211" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184286, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "24931", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "197.13.4.211" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ntGPUmcBTFzn_XoLF0mX", + "source": { + "@timestamp": "2018-11-27T00:26:07.796Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "24931", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "197.13.4.211" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "197.13.4.211" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "197.13.4.211", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184287 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "N9GPUmcBTFzn_XoLi1R8", + "source": { + "@timestamp": "2018-11-27T00:26:37.330Z", + "source": { + "ip": "128.199.216.13" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "128.199.216.13", + "type": "user-session" + } + }, + "sequence": 192431, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32510", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ONGPUmcBTFzn_XoLi1R8", + "source": { + "@timestamp": "2018-11-27T00:26:37.331Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32510", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.199.216.13" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "128.199.216.13", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192432 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "OdGPUmcBTFzn_XoLi1R8", + "source": { + "@timestamp": "2018-11-27T00:26:37.524Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "process": { + "pid": "32510", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.199.216.13" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192433, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "128.199.216.13", + "terminal": "ssh" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "128.199.216.13", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "iNGNUmcBTFzn_XoLxiyC", + "source": { + "@timestamp": "2018-11-27T00:24:41.365Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "secondary": "147.135.208.7", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 43116, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12336" + }, + "source": { + "ip": "147.135.208.7" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "idGNUmcBTFzn_XoLxiyC", + "source": { + "@timestamp": "2018-11-27T00:24:41.365Z", + "source": { + "ip": "147.135.208.7" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43117, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "147.135.208.7", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12336", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "itGNUmcBTFzn_XoLxiyC", + "source": { + "@timestamp": "2018-11-27T00:24:41.497Z", + "auditd": { + "sequence": 43118, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "147.135.208.7" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "147.135.208.7", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12336" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "147.135.208.7" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3NGPUmcBTFzn_XoLV05i", + "source": { + "@timestamp": "2018-11-27T00:26:23.985Z", + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "51.38.38.221", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44109, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "28278", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.38.38.221" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3dGPUmcBTFzn_XoLV05i", + "source": { + "@timestamp": "2018-11-27T00:26:23.989Z", + "process": { + "pid": "28278", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.38.38.221" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "51.38.38.221", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44110, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3tGPUmcBTFzn_XoLV05i", + "source": { + "@timestamp": "2018-11-27T00:26:24.093Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "51.38.38.221", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "51.38.38.221", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44111, + "result": "fail" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "28278", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.38.38.221" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NdGNUmcBTFzn_XoLoilI", + "source": { + "@timestamp": "2018-11-27T00:24:32.089Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "28228", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "202.138.233.92" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "202.138.233.92", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44100 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NtGNUmcBTFzn_XoLoilI", + "source": { + "@timestamp": "2018-11-27T00:24:32.089Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "28228", + "exe": "/usr/sbin/sshd" + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "source": { + "ip": "202.138.233.92" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "202.138.233.92" + } + }, + "sequence": 44101 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "N9GNUmcBTFzn_XoLoilI", + "source": { + "@timestamp": "2018-11-27T00:24:32.345Z", + "process": { + "pid": "28228", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "202.138.233.92" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44102, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "202.138.233.92", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "202.138.233.92", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "69GPUmcBTFzn_XoLM0ud", + "source": { + "@timestamp": "2018-11-27T00:26:14.833Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "1", + "name": "systemd", + "exe": "/lib/systemd/systemd" + }, + "auditd": { + "result": "success", + "session": "unset", + "data": { + "unit": "apt-daily" + }, + "summary": { + "object": { + "primary": "apt-daily", + "type": "service" + }, + "how": "/lib/systemd/systemd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 192429 + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "system-services", + "type": "service_start", + "action": "started-service", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7NGPUmcBTFzn_XoLM0ud", + "source": { + "@timestamp": "2018-11-27T00:26:14.834Z", + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "pid": "1", + "name": "systemd", + "exe": "/lib/systemd/systemd" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "apt-daily", + "type": "service" + }, + "how": "/lib/systemd/systemd" + }, + "sequence": 192430, + "result": "success", + "session": "unset", + "data": { + "unit": "apt-daily" + } + }, + "event": { + "action": "stopped-service", + "module": "auditd", + "category": "system-services", + "type": "service_stop" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-dGTUmcBTFzn_XoLE6A1", + "source": { + "@timestamp": "2018-11-27T00:30:28.676Z", + "process": { + "pid": "28355", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "212.227.192.118" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44115, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "212.227.192.118", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-tGTUmcBTFzn_XoLE6A1", + "source": { + "@timestamp": "2018-11-27T00:30:28.680Z", + "process": { + "pid": "28355", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "212.227.192.118" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "212.227.192.118", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44116, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-9GTUmcBTFzn_XoLE6A1", + "source": { + "@timestamp": "2018-11-27T00:30:28.788Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "212.227.192.118" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "212.227.192.118", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44117, + "result": "fail" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "28355" + }, + "source": { + "ip": "212.227.192.118" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_NGTUmcBTFzn_XoLIaG8", + "source": { + "@timestamp": "2018-11-27T00:30:32.403Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32532", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "164.132.56.243" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "164.132.56.243", + "type": "user-session" + } + }, + "sequence": 192437 + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_dGTUmcBTFzn_XoLIaG8", + "source": { + "@timestamp": "2018-11-27T00:30:32.404Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32532" + }, + "source": { + "ip": "164.132.56.243" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "164.132.56.243", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192438, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_tGTUmcBTFzn_XoLIaG8", + "source": { + "@timestamp": "2018-11-27T00:30:32.516Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32532", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "164.132.56.243" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "secondary": "164.132.56.243", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 192439, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "164.132.56.243" + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "n9GVUmcBTFzn_XoLvdvo", + "source": { + "@timestamp": "2018-11-27T00:33:23.454Z", + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "sequence": 184297, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "222.252.30.117", + "type": "user-session" + } + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "24978", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "222.252.30.117" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "oNGVUmcBTFzn_XoLvdvo", + "source": { + "@timestamp": "2018-11-27T00:33:23.455Z", + "source": { + "ip": "222.252.30.117" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "sequence": 184298, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "222.252.30.117", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "24978", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "odGVUmcBTFzn_XoLvdvo", + "source": { + "@timestamp": "2018-11-27T00:33:23.682Z", + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "24978", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "222.252.30.117" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "222.252.30.117", + "type": "user-session", + "primary": "ssh" + } + }, + "sequence": 184299, + "result": "fail", + "session": "unset", + "data": { + "hostname": "222.252.30.117", + "op": "PAM:bad_ident", + "terminal": "ssh" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0dGUUmcBTFzn_XoLfr-C", + "source": { + "@timestamp": "2018-11-27T00:32:01.688Z", + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "194.35.114.10", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184294, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "24969", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "194.35.114.10" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0tGUUmcBTFzn_XoLfr-C", + "source": { + "@timestamp": "2018-11-27T00:32:01.689Z", + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "194.35.114.10" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "194.35.114.10", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184295, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "24969" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "09GUUmcBTFzn_XoLfr-C", + "source": { + "@timestamp": "2018-11-27T00:32:01.975Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "data": { + "terminal": "ssh", + "hostname": "194.35.114.10", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "194.35.114.10", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 184296, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "24969" + }, + "source": { + "ip": "194.35.114.10" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FdGUUmcBTFzn_XoLVrxv", + "source": { + "@timestamp": "2018-11-27T00:31:51.428Z", + "source": { + "ip": "54.222.243.60" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "54.222.243.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184291, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "24967" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FtGUUmcBTFzn_XoLVrxv", + "source": { + "@timestamp": "2018-11-27T00:31:51.429Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "24967" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "54.222.243.60" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "54.222.243.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + }, + "sequence": 184292 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "F9GUUmcBTFzn_XoLVrxv", + "source": { + "@timestamp": "2018-11-27T00:31:51.655Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "24967", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "54.222.243.60" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "54.222.243.60", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "54.222.243.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184293, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "iNGWUmcBTFzn_XoLZOnx", + "source": { + "@timestamp": "2018-11-27T00:34:06.215Z", + "auditd": { + "sequence": 186263, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "187.188.146.35", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31932" + }, + "source": { + "ip": "187.188.146.35" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "idGWUmcBTFzn_XoLZOnx", + "source": { + "@timestamp": "2018-11-27T00:34:06.216Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "187.188.146.35", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186264, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31932", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "187.188.146.35" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "itGWUmcBTFzn_XoLZOnx", + "source": { + "@timestamp": "2018-11-27T00:34:06.294Z", + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "187.188.146.35" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "187.188.146.35", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186265, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "31932", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "187.188.146.35" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5NGTUmcBTFzn_XoLoqzb", + "source": { + "@timestamp": "2018-11-27T00:31:05.454Z", + "source": { + "ip": "190.153.219.50" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43128, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "190.153.219.50", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "12380", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5dGTUmcBTFzn_XoLoqzb", + "source": { + "@timestamp": "2018-11-27T00:31:05.454Z", + "process": { + "pid": "12380", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "190.153.219.50" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "190.153.219.50", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43129, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5tGTUmcBTFzn_XoLoqzb", + "source": { + "@timestamp": "2018-11-27T00:31:05.610Z", + "auditd": { + "sequence": 43130, + "result": "fail", + "session": "unset", + "data": { + "hostname": "190.153.219.50", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "190.153.219.50", + "type": "user-session" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "12380", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "190.153.219.50" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "f9GUUmcBTFzn_XoLl8LQ", + "source": { + "@timestamp": "2018-11-27T00:32:08.159Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12388", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.75.29.64" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "51.75.29.64", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43131, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gNGUUmcBTFzn_XoLl8LQ", + "source": { + "@timestamp": "2018-11-27T00:32:08.163Z", + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "51.75.29.64", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43132, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12388", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.75.29.64" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gdGUUmcBTFzn_XoLl8LQ", + "source": { + "@timestamp": "2018-11-27T00:32:08.283Z", + "source": { + "ip": "51.75.29.64" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "51.75.29.64" + } + }, + "sequence": 43133, + "result": "fail", + "session": "unset", + "data": { + "hostname": "51.75.29.64", + "op": "PAM:bad_ident", + "terminal": "ssh" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12388", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "K9GUUmcBTFzn_XoLpsMN", + "source": { + "@timestamp": "2018-11-27T00:32:11.807Z", + "source": { + "ip": "159.203.94.6" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "159.203.94.6" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 43134, + "result": "fail" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "12390", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "LNGUUmcBTFzn_XoLpsMN", + "source": { + "@timestamp": "2018-11-27T00:32:11.807Z", + "process": { + "pid": "12390", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "159.203.94.6" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "159.203.94.6", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43135 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "LdGUUmcBTFzn_XoLpsMN", + "source": { + "@timestamp": "2018-11-27T00:32:11.839Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12390", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "159.203.94.6" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "159.203.94.6", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "159.203.94.6", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43136 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "49GUUmcBTFzn_XoL7sk-", + "source": { + "@timestamp": "2018-11-27T00:32:30.290Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "28397", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.255.35.58" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44118, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "51.255.35.58", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5NGUUmcBTFzn_XoL7sk-", + "source": { + "@timestamp": "2018-11-27T00:32:30.290Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "28397", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.255.35.58" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44119, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "51.255.35.58", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5dGUUmcBTFzn_XoL7sk-", + "source": { + "@timestamp": "2018-11-27T00:32:30.394Z", + "auditd": { + "sequence": 44120, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "51.255.35.58" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "51.255.35.58", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "28397", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.255.35.58" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZtKdUmcBTFzn_XoLzIys", + "source": { + "@timestamp": "2018-11-27T00:42:11.490Z", + "process": { + "pid": "28582", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "51.75.23.199" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "51.75.23.199", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44127, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Z9KdUmcBTFzn_XoLzIys", + "source": { + "@timestamp": "2018-11-27T00:42:11.494Z", + "auditd": { + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "51.75.23.199", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44128, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "28582", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.75.23.199" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "aNKdUmcBTFzn_XoLzIys", + "source": { + "@timestamp": "2018-11-27T00:42:11.598Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "28582" + }, + "source": { + "ip": "51.75.23.199" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44129, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "51.75.23.199", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "51.75.23.199" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "atKdUmcBTFzn_XoLzYxc", + "source": { + "@timestamp": "2018-11-27T00:42:11.696Z", + "source": { + "ip": "180.76.100.10" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186281, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "180.76.100.10", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31982" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "a9KdUmcBTFzn_XoLzYxc", + "source": { + "@timestamp": "2018-11-27T00:42:11.697Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31982", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "180.76.100.10" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186282, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "180.76.100.10", + "type": "user-session", + "primary": "sshd" + } + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "bNKdUmcBTFzn_XoLzYxc", + "source": { + "@timestamp": "2018-11-27T00:42:11.935Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31982", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "180.76.100.10" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "180.76.100.10", + "type": "user-session" + } + }, + "sequence": 186283, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "180.76.100.10", + "terminal": "ssh" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "N9KfUmcBTFzn_XoLkLSD", + "source": { + "@timestamp": "2018-11-27T00:44:07.193Z", + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "115.146.127.134", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142297, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "process": { + "pid": "19404", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "115.146.127.134" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ONKfUmcBTFzn_XoLkLSD", + "source": { + "@timestamp": "2018-11-27T00:44:07.194Z", + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "115.146.127.134" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 142298, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19404", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "115.146.127.134" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "OdKfUmcBTFzn_XoLkLSD", + "source": { + "@timestamp": "2018-11-27T00:44:07.394Z", + "process": { + "pid": "19404", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "115.146.127.134" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142299, + "result": "fail", + "session": "unset", + "data": { + "hostname": "115.146.127.134", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "object": { + "secondary": "115.146.127.134", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ftKgUmcBTFzn_XoLxc3Y", + "source": { + "@timestamp": "2018-11-27T00:45:26.381Z", + "auditd": { + "sequence": 184306, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "201.245.191.102", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25092" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "201.245.191.102" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "f9KgUmcBTFzn_XoLxc3Y", + "source": { + "@timestamp": "2018-11-27T00:45:26.382Z", + "source": { + "ip": "201.245.191.102" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "secondary": "201.245.191.102", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 184307, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "25092", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gNKgUmcBTFzn_XoLxc3Y", + "source": { + "@timestamp": "2018-11-27T00:45:26.503Z", + "process": { + "pid": "25092", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "201.245.191.102" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "201.245.191.102", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "201.245.191.102", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184308, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "59KeUmcBTFzn_XoLO5ZL", + "source": { + "@timestamp": "2018-11-27T00:42:39.841Z", + "process": { + "pid": "19396", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "209.97.173.192" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142294, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "209.97.173.192", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6NKeUmcBTFzn_XoLO5ZL", + "source": { + "@timestamp": "2018-11-27T00:42:39.843Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19396", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "209.97.173.192" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "secondary": "209.97.173.192", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 142295, + "result": "fail", + "session": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6dKeUmcBTFzn_XoLO5ZL", + "source": { + "@timestamp": "2018-11-27T00:42:40.035Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19396", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "209.97.173.192" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142296, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "209.97.173.192" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "209.97.173.192", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xdKbUmcBTFzn_XoL6WOD", + "source": { + "@timestamp": "2018-11-27T00:40:07.833Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32633" + }, + "source": { + "ip": "134.175.28.156" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192449, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "134.175.28.156", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xtKbUmcBTFzn_XoL6WOD", + "source": { + "@timestamp": "2018-11-27T00:40:07.834Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32633", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "134.175.28.156" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "134.175.28.156", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192450, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "x9KbUmcBTFzn_XoL6WOD", + "source": { + "@timestamp": "2018-11-27T00:40:08.034Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "134.175.28.156", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "134.175.28.156", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192451 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32633", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "134.175.28.156" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ntKbUmcBTFzn_XoL2WE6", + "source": { + "@timestamp": "2018-11-27T00:40:03.664Z", + "source": { + "ip": "79.134.4.138" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "79.134.4.138", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 186278 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31968", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "n9KbUmcBTFzn_XoL2WE6", + "source": { + "@timestamp": "2018-11-27T00:40:03.665Z", + "process": { + "pid": "31968", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "79.134.4.138" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "79.134.4.138", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186279, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "oNKbUmcBTFzn_XoL2WE6", + "source": { + "@timestamp": "2018-11-27T00:40:03.838Z", + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "auditd": { + "sequence": 186280, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "79.134.4.138", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "79.134.4.138", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31968" + }, + "source": { + "ip": "79.134.4.138" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "lNKdUmcBTFzn_XoLiIaH", + "source": { + "@timestamp": "2018-11-27T00:41:54.077Z", + "source": { + "ip": "203.66.168.81" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "203.66.168.81", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142291 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19393" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ldKdUmcBTFzn_XoLiIaH", + "source": { + "@timestamp": "2018-11-27T00:41:54.078Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142292, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "203.66.168.81", + "type": "user-session" + } + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19393", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "203.66.168.81" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ltKdUmcBTFzn_XoLiIaH", + "source": { + "@timestamp": "2018-11-27T00:41:54.267Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19393" + }, + "source": { + "ip": "203.66.168.81" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "203.66.168.81" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "203.66.168.81", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142293 + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "zNKeUmcBTFzn_XoLtKCT", + "source": { + "@timestamp": "2018-11-27T00:43:10.887Z", + "source": { + "ip": "116.93.119.13" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "116.93.119.13", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43137, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "12451", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "zdKeUmcBTFzn_XoLtKCT", + "source": { + "@timestamp": "2018-11-27T00:43:10.887Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12451", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "116.93.119.13" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "116.93.119.13", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 43138 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ztKeUmcBTFzn_XoLtKCT", + "source": { + "@timestamp": "2018-11-27T00:43:11.127Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12451" + }, + "source": { + "ip": "116.93.119.13" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "116.93.119.13", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "116.93.119.13" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43139 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YdKbUmcBTFzn_XoLs16u", + "source": { + "@timestamp": "2018-11-27T00:39:54.048Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "28538", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "41.185.28.133" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "41.185.28.133", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44124, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YtKbUmcBTFzn_XoLs16u", + "source": { + "@timestamp": "2018-11-27T00:39:54.052Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "41.185.28.133", + "type": "user-session" + } + }, + "sequence": 44125, + "result": "fail" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "28538", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "41.185.28.133" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Y9KbUmcBTFzn_XoLs16u", + "source": { + "@timestamp": "2018-11-27T00:39:54.292Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "28538", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "41.185.28.133" + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "41.185.28.133", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "41.185.28.133" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44126, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "otOnUmcBTFzn_XoLmmNb", + "source": { + "@timestamp": "2018-11-27T00:52:54.001Z", + "process": { + "pid": "25143", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "190.0.10.138" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184318, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "190.0.10.138" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "o9OnUmcBTFzn_XoLmmNb", + "source": { + "@timestamp": "2018-11-27T00:52:54.002Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "25143", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "190.0.10.138" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "190.0.10.138", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184319, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "pNOnUmcBTFzn_XoLmmNb", + "source": { + "@timestamp": "2018-11-27T00:52:54.109Z", + "source": { + "ip": "190.0.10.138" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184320, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "190.0.10.138", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "190.0.10.138", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25143" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "59OrUmcBTFzn_XoL6cFF", + "source": { + "@timestamp": "2018-11-27T00:57:36.347Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192455, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "202.28.34.200", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32742", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "202.28.34.200" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6NOrUmcBTFzn_XoL6cFF", + "source": { + "@timestamp": "2018-11-27T00:57:36.348Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32742" + }, + "source": { + "ip": "202.28.34.200" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192456, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "202.28.34.200", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6dOrUmcBTFzn_XoL6cFF", + "source": { + "@timestamp": "2018-11-27T00:57:36.577Z", + "process": { + "pid": "32742", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "202.28.34.200" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "202.28.34.200", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "202.28.34.200" + } + }, + "sequence": 192457 + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "P9OsUmcBTFzn_XoLBsX4", + "source": { + "@timestamp": "2018-11-27T00:57:43.944Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "12534", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "103.10.44.255" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "103.10.44.255", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43146, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QNOsUmcBTFzn_XoLBsX4", + "source": { + "@timestamp": "2018-11-27T00:57:43.948Z", + "process": { + "pid": "12534", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "103.10.44.255" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43147, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "103.10.44.255" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QdOsUmcBTFzn_XoLBsX4", + "source": { + "@timestamp": "2018-11-27T00:57:44.144Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12534", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "103.10.44.255" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "103.10.44.255", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "103.10.44.255", + "type": "user-session" + } + }, + "sequence": 43148, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FNOpUmcBTFzn_XoLlY-1", + "source": { + "@timestamp": "2018-11-27T00:55:03.881Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "146.0.105.29", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186287 + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32040", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "146.0.105.29" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FdOpUmcBTFzn_XoLlY-1", + "source": { + "@timestamp": "2018-11-27T00:55:03.882Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "secondary": "146.0.105.29", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 186288, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32040", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "146.0.105.29" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FtOpUmcBTFzn_XoLlY-1", + "source": { + "@timestamp": "2018-11-27T00:55:04.004Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "146.0.105.29", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186289, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "146.0.105.29" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32040", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "146.0.105.29" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FtOpUmcBTFzn_XoL5pZA", + "source": { + "@timestamp": "2018-11-27T00:55:24.501Z", + "process": { + "pid": "12520", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "217.19.148.142" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "217.19.148.142", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43143, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "F9OpUmcBTFzn_XoL5pZA", + "source": { + "@timestamp": "2018-11-27T00:55:24.501Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12520" + }, + "source": { + "ip": "217.19.148.142" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "217.19.148.142", + "type": "user-session" + } + }, + "sequence": 43144, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GNOpUmcBTFzn_XoL5pZA", + "source": { + "@timestamp": "2018-11-27T00:55:24.637Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12520", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "217.19.148.142" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "217.19.148.142" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "217.19.148.142", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43145, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2NOmUmcBTFzn_XoLfUpL", + "source": { + "@timestamp": "2018-11-27T00:51:41.026Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "59.120.243.8", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184315, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "25134", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "59.120.243.8" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2dOmUmcBTFzn_XoLfUpL", + "source": { + "@timestamp": "2018-11-27T00:51:41.027Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "59.120.243.8", + "type": "user-session" + } + }, + "sequence": 184316, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "25134", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "59.120.243.8" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2tOmUmcBTFzn_XoLfUpL", + "source": { + "@timestamp": "2018-11-27T00:51:41.202Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25134" + }, + "source": { + "ip": "59.120.243.8" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "59.120.243.8", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "59.120.243.8", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 184317, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "h9OpUmcBTFzn_XoLWIru", + "source": { + "@timestamp": "2018-11-27T00:54:48.324Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "pid": "32723", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "124.6.139.242" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "124.6.139.242", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 192452, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "iNOpUmcBTFzn_XoLWIru", + "source": { + "@timestamp": "2018-11-27T00:54:48.325Z", + "process": { + "pid": "32723", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "124.6.139.242" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "124.6.139.242", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192453, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "idOpUmcBTFzn_XoLWIru", + "source": { + "@timestamp": "2018-11-27T00:54:48.556Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32723", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "124.6.139.242" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "124.6.139.242" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "124.6.139.242", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192454, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YtOqUmcBTFzn_XoLnqU0", + "source": { + "@timestamp": "2018-11-27T00:56:11.591Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "28851", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "93.152.166.29" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44139, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "secondary": "93.152.166.29", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Y9OqUmcBTFzn_XoLnqU0", + "source": { + "@timestamp": "2018-11-27T00:56:11.591Z", + "source": { + "ip": "93.152.166.29" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "93.152.166.29", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44140, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "28851" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZNOqUmcBTFzn_XoLnqU0", + "source": { + "@timestamp": "2018-11-27T00:56:11.743Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "28851", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "93.152.166.29" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "ssh", + "secondary": "93.152.166.29", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 44141, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "93.152.166.29", + "op": "PAM:bad_ident" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "q9OnUmcBTFzn_XoLxWfH", + "source": { + "@timestamp": "2018-11-27T00:53:05.113Z", + "process": { + "pid": "28796", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "222.117.50.66" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44136, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "222.117.50.66", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rNOnUmcBTFzn_XoLxWfH", + "source": { + "@timestamp": "2018-11-27T00:53:05.113Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "28796", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "222.117.50.66" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "222.117.50.66", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 44137 + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rdOnUmcBTFzn_XoLxWfH", + "source": { + "@timestamp": "2018-11-27T00:53:05.277Z", + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "28796", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "222.117.50.66" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "222.117.50.66", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44138, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "222.117.50.66", + "op": "PAM:bad_ident" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_tSyUmcBTFzn_XoLI0rV", + "source": { + "@timestamp": "2018-11-27T01:04:24.552Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32096", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "115.146.127.133" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186305, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "115.146.127.133" + }, + "how": "/usr/sbin/sshd" + } + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_9SyUmcBTFzn_XoLI0rV", + "source": { + "@timestamp": "2018-11-27T01:04:24.554Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32096", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "115.146.127.133" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186306, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "115.146.127.133", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ANSyUmcBTFzn_XoLI0vV", + "source": { + "@timestamp": "2018-11-27T01:04:24.758Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32096" + }, + "source": { + "ip": "115.146.127.133" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186307, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "115.146.127.133" + }, + "summary": { + "object": { + "secondary": "115.146.127.133", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "oNSxUmcBTFzn_XoL-0d6", + "source": { + "@timestamp": "2018-11-27T01:04:14.224Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32089", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186302, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "odSxUmcBTFzn_XoL-0d6", + "source": { + "@timestamp": "2018-11-27T01:04:14.225Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32089" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "sequence": 186303, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + } + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "otSxUmcBTFzn_XoL-0d6", + "source": { + "@timestamp": "2018-11-27T01:04:14.256Z", + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32089" + }, + "source": { + "ip": "107.170.65.109" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 186304, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JNSyUmcBTFzn_XoL2FqQ", + "source": { + "@timestamp": "2018-11-27T01:05:10.789Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186308 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32100", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JdSyUmcBTFzn_XoL2FqQ", + "source": { + "@timestamp": "2018-11-27T01:05:10.790Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32100", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186309, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JtSyUmcBTFzn_XoL2FqQ", + "source": { + "@timestamp": "2018-11-27T01:05:10.821Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186310, + "result": "fail", + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32100", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "9tSxUmcBTFzn_XoLATF1", + "source": { + "@timestamp": "2018-11-27T01:03:10.216Z", + "auditd": { + "sequence": 142318, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "81.174.25.52" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "process": { + "pid": "19519", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "81.174.25.52" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "99SxUmcBTFzn_XoLATF1", + "source": { + "@timestamp": "2018-11-27T01:03:10.217Z", + "process": { + "pid": "19519", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "81.174.25.52" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "81.174.25.52", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142319 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-NSxUmcBTFzn_XoLATF1", + "source": { + "@timestamp": "2018-11-27T01:03:10.360Z", + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "81.174.25.52" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "81.174.25.52", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142320, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "19519", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "81.174.25.52" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "69SyUmcBTFzn_XoLSE3q", + "source": { + "@timestamp": "2018-11-27T01:04:34.043Z", + "source": { + "ip": "110.170.166.101" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "110.170.166.101", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43149, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12572", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7NSyUmcBTFzn_XoLSE3q", + "source": { + "@timestamp": "2018-11-27T01:04:34.043Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "12572", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "110.170.166.101" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43150, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "110.170.166.101" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7dSyUmcBTFzn_XoLSE3q", + "source": { + "@timestamp": "2018-11-27T01:04:34.263Z", + "auditd": { + "summary": { + "object": { + "secondary": "110.170.166.101", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 43151, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "110.170.166.101", + "op": "PAM:bad_ident" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12572" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "110.170.166.101" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "R9SzUmcBTFzn_XoLbGcD", + "source": { + "@timestamp": "2018-11-27T01:05:48.570Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192461, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "178.155.249.205", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "316", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "178.155.249.205" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SNSzUmcBTFzn_XoLbGcD", + "source": { + "@timestamp": "2018-11-27T01:05:48.571Z", + "process": { + "pid": "316", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.155.249.205" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192462, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "178.155.249.205", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SdSzUmcBTFzn_XoLbGcD", + "source": { + "@timestamp": "2018-11-27T01:05:48.697Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "316", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.155.249.205" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "178.155.249.205" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "178.155.249.205", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 192463 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "wtSxUmcBTFzn_XoLPTZz", + "source": { + "@timestamp": "2018-11-27T01:03:25.577Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32085", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186296, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "w9SxUmcBTFzn_XoLPTZz", + "source": { + "@timestamp": "2018-11-27T01:03:25.578Z", + "process": { + "pid": "32085", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "sequence": 186297, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xNSxUmcBTFzn_XoLPTZz", + "source": { + "@timestamp": "2018-11-27T01:03:25.609Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186298, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "107.170.65.109", + "op": "PAM:bad_ident" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32085", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "jdSxUmcBTFzn_XoLZToB", + "source": { + "@timestamp": "2018-11-27T01:03:35.702Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32087", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.131.37.34" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "104.131.37.34", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186299, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "jtSxUmcBTFzn_XoLZToB", + "source": { + "@timestamp": "2018-11-27T01:03:35.707Z", + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "104.131.37.34" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186300 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32087", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.131.37.34" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "j9SxUmcBTFzn_XoLZToB", + "source": { + "@timestamp": "2018-11-27T01:03:35.739Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "104.131.37.34" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "104.131.37.34", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "104.131.37.34", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186301, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32087", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ydSzUmcBTFzn_XoLemeL", + "source": { + "@timestamp": "2018-11-27T01:05:52.289Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192464, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "195.68.29.234" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "323", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "195.68.29.234" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ytSzUmcBTFzn_XoLemeL", + "source": { + "@timestamp": "2018-11-27T01:05:52.290Z", + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "195.68.29.234" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192465, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "323", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "195.68.29.234" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "y9SzUmcBTFzn_XoLemeL", + "source": { + "@timestamp": "2018-11-27T01:05:52.396Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "195.68.29.234" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "195.68.29.234" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192466, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "323" + }, + "source": { + "ip": "195.68.29.234" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sNS4UmcBTFzn_XoLe9YN", + "source": { + "@timestamp": "2018-11-27T01:11:20.098Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32151", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186337, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sdS4UmcBTFzn_XoLe9YN", + "source": { + "@timestamp": "2018-11-27T01:11:20.099Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32151", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186338 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "stS4UmcBTFzn_XoLe9YN", + "source": { + "@timestamp": "2018-11-27T01:11:20.130Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32151" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + } + }, + "sequence": 186339, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "MNS5UmcBTFzn_XoLKuU8", + "source": { + "@timestamp": "2018-11-27T01:12:04.946Z", + "auditd": { + "sequence": 192488, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "secondary": "192.208.184.216", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "428", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "192.208.184.216" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "MdS5UmcBTFzn_XoLKuU8", + "source": { + "@timestamp": "2018-11-27T01:12:04.947Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192489, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "192.208.184.216", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "428", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "192.208.184.216" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "MtS5UmcBTFzn_XoLKuU8", + "source": { + "@timestamp": "2018-11-27T01:12:04.962Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "428", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "192.208.184.216" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192490, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "192.208.184.216" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "192.208.184.216", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GtW7UmcBTFzn_XoLNhOL", + "source": { + "@timestamp": "2018-11-27T01:14:19.169Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32173" + }, + "source": { + "ip": "73.15.91.251" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "73.15.91.251", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186350 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "G9W7UmcBTFzn_XoLNhOL", + "source": { + "@timestamp": "2018-11-27T01:14:19.170Z", + "source": { + "ip": "73.15.91.251" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186351, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "73.15.91.251" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32173", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HNW7UmcBTFzn_XoLNhOL", + "source": { + "@timestamp": "2018-11-27T01:14:19.234Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32173", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "73.15.91.251" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186352, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "73.15.91.251", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "73.15.91.251", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "R9W6UmcBTFzn_XoL9Aya", + "source": { + "@timestamp": "2018-11-27T01:14:02.288Z", + "process": { + "pid": "32171", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "201.144.84.82" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "201.144.84.82", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186347 + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SNW6UmcBTFzn_XoL9Aya", + "source": { + "@timestamp": "2018-11-27T01:14:02.289Z", + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "201.144.84.82", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186348, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32171", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "201.144.84.82" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SdW6UmcBTFzn_XoL9Aya", + "source": { + "@timestamp": "2018-11-27T01:14:02.352Z", + "source": { + "ip": "201.144.84.82" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "201.144.84.82", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186349, + "result": "fail", + "session": "unset", + "data": { + "hostname": "201.144.84.82", + "op": "PAM:bad_ident", + "terminal": "ssh" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32171", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "19W7UmcBTFzn_XoLRBML", + "source": { + "@timestamp": "2018-11-27T01:14:22.625Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32175", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + }, + "sequence": 186353 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2NW7UmcBTFzn_XoLRBML", + "source": { + "@timestamp": "2018-11-27T01:14:22.627Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186354, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32175", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2dW7UmcBTFzn_XoLRBML", + "source": { + "@timestamp": "2018-11-27T01:14:22.658Z", + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32175" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186355, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "107.170.65.109" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ltW6UmcBTFzn_XoLawEv", + "source": { + "@timestamp": "2018-11-27T01:13:27.109Z", + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186344, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32168" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "l9W6UmcBTFzn_XoLawEv", + "source": { + "@timestamp": "2018-11-27T01:13:27.110Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32168", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186345, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "mNW6UmcBTFzn_XoLawEv", + "source": { + "@timestamp": "2018-11-27T01:13:27.142Z", + "process": { + "pid": "32168", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "107.170.65.109" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "107.170.65.109" + } + }, + "sequence": 186346, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gdS5UmcBTFzn_XoLl-71", + "source": { + "@timestamp": "2018-11-27T01:12:33.036Z", + "auditd": { + "sequence": 186341, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "46.148.18.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32161" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gtS5UmcBTFzn_XoLl-71", + "source": { + "@timestamp": "2018-11-27T01:12:33.037Z", + "auditd": { + "sequence": 186342, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "46.148.18.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32161", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "g9S5UmcBTFzn_XoLl-71", + "source": { + "@timestamp": "2018-11-27T01:12:33.179Z", + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32161", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "46.148.18.163", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "46.148.18.163", + "type": "user-session", + "primary": "ssh" + } + }, + "sequence": 186343, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "LdW7UmcBTFzn_XoLDA9a", + "source": { + "@timestamp": "2018-11-27T01:14:08.367Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "438" + }, + "source": { + "ip": "193.70.38.229" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "193.70.38.229" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192491 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "LtW7UmcBTFzn_XoLDA9a", + "source": { + "@timestamp": "2018-11-27T01:14:08.368Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "438" + }, + "source": { + "ip": "193.70.38.229" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192492, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "193.70.38.229", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "L9W7UmcBTFzn_XoLDA9a", + "source": { + "@timestamp": "2018-11-27T01:14:08.480Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "193.70.38.229", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "193.70.38.229" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192493 + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "438", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "193.70.38.229" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "M9S5UmcBTFzn_XoLcevO", + "source": { + "@timestamp": "2018-11-27T01:12:23.261Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "107.170.65.109" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186340 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32158", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SdW9UmcBTFzn_XoLHz_j", + "source": { + "@timestamp": "2018-11-27T01:16:24.437Z", + "auditd": { + "sequence": 44170, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "37.187.113.229", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "29260", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.187.113.229" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "StW9UmcBTFzn_XoLHz_j", + "source": { + "@timestamp": "2018-11-27T01:16:24.437Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "29260", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.187.113.229" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44171, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "37.187.113.229", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "S9W9UmcBTFzn_XoLHz_j", + "source": { + "@timestamp": "2018-11-27T01:16:24.541Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "29260", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.187.113.229" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "sequence": 44172, + "result": "fail", + "session": "unset", + "data": { + "hostname": "37.187.113.229", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "37.187.113.229" + } + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "q9W9UmcBTFzn_XoLJj-I", + "source": { + "@timestamp": "2018-11-27T01:16:26.142Z", + "process": { + "pid": "25331", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "103.249.205.78" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "103.249.205.78" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184334, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rNW9UmcBTFzn_XoLJj-I", + "source": { + "@timestamp": "2018-11-27T01:16:26.143Z", + "process": { + "pid": "25331", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "103.249.205.78" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184335, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "103.249.205.78", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rdW9UmcBTFzn_XoLJj-I", + "source": { + "@timestamp": "2018-11-27T01:16:26.372Z", + "source": { + "ip": "103.249.205.78" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "hostname": "103.249.205.78", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "103.249.205.78", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184336, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25331" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "b9W8UmcBTFzn_XoLiTGg", + "source": { + "@timestamp": "2018-11-27T01:15:45.974Z", + "auditd": { + "sequence": 186365, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "46.148.18.163", + "type": "user-session" + } + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32190", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cNW8UmcBTFzn_XoLiTGg", + "source": { + "@timestamp": "2018-11-27T01:15:45.975Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186366, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "46.148.18.163", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32190", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "46.148.18.163" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cdW8UmcBTFzn_XoLiTGg", + "source": { + "@timestamp": "2018-11-27T01:15:46.119Z", + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32190", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.148.18.163" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "46.148.18.163" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "46.148.18.163" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 186367, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FtW8UmcBTFzn_XoLkzMm", + "source": { + "@timestamp": "2018-11-27T01:15:48.412Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32192" + }, + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186368, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "F9W8UmcBTFzn_XoLkzMm", + "source": { + "@timestamp": "2018-11-27T01:15:48.413Z", + "process": { + "pid": "32192", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186369, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GNW8UmcBTFzn_XoLkzMm", + "source": { + "@timestamp": "2018-11-27T01:15:48.444Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186370, + "result": "fail", + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32192", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "g9W7UmcBTFzn_XoL5iPr", + "source": { + "@timestamp": "2018-11-27T01:15:04.321Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32185" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186359, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "hNW7UmcBTFzn_XoL5iPr", + "source": { + "@timestamp": "2018-11-27T01:15:04.322Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186360, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32185", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "hdW7UmcBTFzn_XoL5iPr", + "source": { + "@timestamp": "2018-11-27T01:15:04.353Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32185", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.65.109", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186361, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ddW7UmcBTFzn_XoLfxpa", + "source": { + "@timestamp": "2018-11-27T01:14:37.808Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "sshd", + "secondary": "128.199.91.82", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186356, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32178", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.199.91.82" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dtW7UmcBTFzn_XoLfxpa", + "source": { + "@timestamp": "2018-11-27T01:14:37.809Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32178" + }, + "source": { + "ip": "128.199.91.82" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "128.199.91.82" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186357, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "d9W7UmcBTFzn_XoLfxpa", + "source": { + "@timestamp": "2018-11-27T01:14:38.002Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "128.199.91.82", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "128.199.91.82", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186358, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32178" + }, + "source": { + "ip": "128.199.91.82" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "I9W8UmcBTFzn_XoLdzAT", + "source": { + "@timestamp": "2018-11-27T01:15:41.225Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186362, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "89.36.221.229", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32188", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "89.36.221.229" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JNW8UmcBTFzn_XoLdzAT", + "source": { + "@timestamp": "2018-11-27T01:15:41.226Z", + "source": { + "ip": "89.36.221.229" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186363, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "89.36.221.229" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32188", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JdW8UmcBTFzn_XoLdzAT", + "source": { + "@timestamp": "2018-11-27T01:15:41.329Z", + "source": { + "ip": "89.36.221.229" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "89.36.221.229", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "89.36.221.229", + "type": "user-session" + } + }, + "sequence": 186364, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32188", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5dW7UmcBTFzn_XoLcBda", + "source": { + "@timestamp": "2018-11-27T01:14:33.960Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "131.100.219.3", + "type": "user-session" + } + }, + "sequence": 44161, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "29218", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "131.100.219.3" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5tW7UmcBTFzn_XoLcBda", + "source": { + "@timestamp": "2018-11-27T01:14:33.964Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "29218", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "131.100.219.3" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "131.100.219.3" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44162, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "59W7UmcBTFzn_XoLcBda", + "source": { + "@timestamp": "2018-11-27T01:14:34.176Z", + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "29218", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "131.100.219.3" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "131.100.219.3" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "131.100.219.3", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44163, + "result": "fail" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "D9W8UmcBTFzn_XoL6Do7", + "source": { + "@timestamp": "2018-11-27T01:16:10.192Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32194", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "81.66.86.4" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "81.66.86.4" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186371, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ENW8UmcBTFzn_XoL6Do7", + "source": { + "@timestamp": "2018-11-27T01:16:10.194Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "81.66.86.4" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186372, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32194" + }, + "source": { + "ip": "81.66.86.4" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "EdW8UmcBTFzn_XoL6Do7", + "source": { + "@timestamp": "2018-11-27T01:16:10.308Z", + "source": { + "ip": "81.66.86.4" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "81.66.86.4", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186373, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "81.66.86.4" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32194", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cNW8UmcBTFzn_XoLvDaC", + "source": { + "@timestamp": "2018-11-27T01:15:58.995Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "204.145.5.2", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44164, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "29245", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "204.145.5.2" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cdW8UmcBTFzn_XoLvDaC", + "source": { + "@timestamp": "2018-11-27T01:15:58.999Z", + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "204.145.5.2", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 44165, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "29245", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "204.145.5.2" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ctW8UmcBTFzn_XoLvDaC", + "source": { + "@timestamp": "2018-11-27T01:15:59.199Z", + "process": { + "pid": "29245", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "204.145.5.2" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "204.145.5.2", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "204.145.5.2", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44166, + "result": "fail" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "f9W8UmcBTFzn_XoL_Dt-", + "source": { + "@timestamp": "2018-11-27T01:16:15.376Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "51.15.40.125", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 44167 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "29255" + }, + "source": { + "ip": "51.15.40.125" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gNW8UmcBTFzn_XoL_Dt-", + "source": { + "@timestamp": "2018-11-27T01:16:15.376Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "51.15.40.125", + "type": "user-session" + } + }, + "sequence": 44168 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "29255" + }, + "source": { + "ip": "51.15.40.125" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gdW8UmcBTFzn_XoL_Dt-", + "source": { + "@timestamp": "2018-11-27T01:16:15.488Z", + "auditd": { + "sequence": 44169, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "51.15.40.125" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "51.15.40.125", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "29255" + }, + "source": { + "ip": "51.15.40.125" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "INXAUmcBTFzn_XoLvI6Q", + "source": { + "@timestamp": "2018-11-27T01:20:21.158Z", + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "138.68.50.250", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + }, + "sequence": 142333, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "19612", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "138.68.50.250" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "IdXAUmcBTFzn_XoLvI6Q", + "source": { + "@timestamp": "2018-11-27T01:20:21.159Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19612", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "138.68.50.250" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "138.68.50.250", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142334, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ItXAUmcBTFzn_XoLvI6Q", + "source": { + "@timestamp": "2018-11-27T01:20:21.200Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19612" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "138.68.50.250" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142335, + "result": "fail", + "session": "unset", + "data": { + "hostname": "138.68.50.250", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "138.68.50.250", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BdXAUmcBTFzn_XoLyZBk", + "source": { + "@timestamp": "2018-11-27T01:20:24.441Z", + "event": { + "category": "system-services", + "type": "service_start", + "action": "started-service", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "name": "systemd", + "exe": "/lib/systemd/systemd", + "pid": "1" + }, + "auditd": { + "session": "unset", + "data": { + "unit": "apt-daily" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "apt-daily", + "type": "service" + }, + "how": "/lib/systemd/systemd" + }, + "sequence": 184343, + "result": "success" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BtXAUmcBTFzn_XoLyZBk", + "source": { + "@timestamp": "2018-11-27T01:20:24.441Z", + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "sequence": 184344, + "result": "success", + "session": "unset", + "data": { + "unit": "apt-daily" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "apt-daily", + "type": "service" + }, + "how": "/lib/systemd/systemd" + } + }, + "event": { + "type": "service_stop", + "action": "stopped-service", + "module": "auditd", + "category": "system-services" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "1", + "name": "systemd", + "exe": "/lib/systemd/systemd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "yNW_UmcBTFzn_XoL_n0W", + "source": { + "@timestamp": "2018-11-27T01:19:32.396Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186392, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32225", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ydW_UmcBTFzn_XoL_n0W", + "source": { + "@timestamp": "2018-11-27T01:19:32.398Z", + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186393, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + } + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32225", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ytW_UmcBTFzn_XoL_n0W", + "source": { + "@timestamp": "2018-11-27T01:19:32.428Z", + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32225" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "107.170.65.109" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186394 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "PNXAUmcBTFzn_XoLAX59", + "source": { + "@timestamp": "2018-11-27T01:19:33.267Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "83.222.240.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + }, + "sequence": 192500 + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "473", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "83.222.240.60" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "PdXAUmcBTFzn_XoLAX59", + "source": { + "@timestamp": "2018-11-27T01:19:33.268Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "473", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "83.222.240.60" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "83.222.240.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192501, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "PtXAUmcBTFzn_XoLAX59", + "source": { + "@timestamp": "2018-11-27T01:19:33.371Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "473" + }, + "source": { + "ip": "83.222.240.60" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "83.222.240.60", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "83.222.240.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192502, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "L9XBUmcBTFzn_XoLuKRN", + "source": { + "@timestamp": "2018-11-27T01:21:25.603Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186398, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "153.254.115.57", + "type": "user-session" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32236", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "153.254.115.57" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "MNXBUmcBTFzn_XoLuKRN", + "source": { + "@timestamp": "2018-11-27T01:21:25.604Z", + "auditd": { + "sequence": 186399, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "153.254.115.57", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32236", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "153.254.115.57" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "MdXBUmcBTFzn_XoLuKRN", + "source": { + "@timestamp": "2018-11-27T01:21:25.817Z", + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32236" + }, + "source": { + "ip": "153.254.115.57" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "153.254.115.57", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "153.254.115.57", + "type": "user-session" + } + }, + "sequence": 186400, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xtXCUmcBTFzn_XoLq7my", + "source": { + "@timestamp": "2018-11-27T01:22:27.912Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "118.163.107.56", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186404, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32246", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "118.163.107.56" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "x9XCUmcBTFzn_XoLq7my", + "source": { + "@timestamp": "2018-11-27T01:22:27.914Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "process": { + "pid": "32246", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "118.163.107.56" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "118.163.107.56", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186405, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "yNXCUmcBTFzn_XoLq7my", + "source": { + "@timestamp": "2018-11-27T01:22:28.078Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32246" + }, + "source": { + "ip": "118.163.107.56" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "118.163.107.56", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "118.163.107.56", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186406 + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8dXBUmcBTFzn_XoL0KVY", + "source": { + "@timestamp": "2018-11-27T01:21:31.757Z", + "process": { + "pid": "32238", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186401, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8tXBUmcBTFzn_XoL0KVY", + "source": { + "@timestamp": "2018-11-27T01:21:31.758Z", + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186402, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32238" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "89XBUmcBTFzn_XoL0KVY", + "source": { + "@timestamp": "2018-11-27T01:21:31.789Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186403, + "result": "fail" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32238", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_dXAUmcBTFzn_XoL55GP", + "source": { + "@timestamp": "2018-11-27T01:20:32.165Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32229", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186395, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_tXAUmcBTFzn_XoL55GP", + "source": { + "@timestamp": "2018-11-27T01:20:32.166Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32229", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186396, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_9XAUmcBTFzn_XoL55GP", + "source": { + "@timestamp": "2018-11-27T01:20:32.197Z", + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32229", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186397, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.65.109", + "terminal": "ssh" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xNXCUmcBTFzn_XoLQq83", + "source": { + "@timestamp": "2018-11-27T01:22:00.907Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "12675", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "145.239.237.80" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "145.239.237.80" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43161 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xdXCUmcBTFzn_XoLQq83", + "source": { + "@timestamp": "2018-11-27T01:22:00.907Z", + "source": { + "ip": "145.239.237.80" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "145.239.237.80", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43162, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "12675", + "exe": "/usr/sbin/sshd" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "xtXCUmcBTFzn_XoLQq83", + "source": { + "@timestamp": "2018-11-27T01:22:01.039Z", + "source": { + "ip": "145.239.237.80" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "145.239.237.80", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "145.239.237.80", + "type": "user-session" + } + }, + "sequence": 43163, + "result": "fail" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12675", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "o9XAUmcBTFzn_XoLKIGO", + "source": { + "@timestamp": "2018-11-27T01:19:43.268Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "141.89.111.68", + "type": "user-session" + } + }, + "sequence": 192503, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "475", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "141.89.111.68" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "pNXAUmcBTFzn_XoLKIGO", + "source": { + "@timestamp": "2018-11-27T01:19:43.269Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "475", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "141.89.111.68" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "141.89.111.68", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192504 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "pdXAUmcBTFzn_XoLKIGO", + "source": { + "@timestamp": "2018-11-27T01:19:43.395Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "141.89.111.68" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "141.89.111.68", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192505 + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "475", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "141.89.111.68" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "O9XAUmcBTFzn_XoLzZAP", + "source": { + "@timestamp": "2018-11-27T01:20:25.380Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "195.84.49.20", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44179, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "29341", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "195.84.49.20" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "PNXAUmcBTFzn_XoLzZAP", + "source": { + "@timestamp": "2018-11-27T01:20:25.380Z", + "source": { + "ip": "195.84.49.20" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "195.84.49.20", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 44180, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "29341", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "PdXAUmcBTFzn_XoLzZAP", + "source": { + "@timestamp": "2018-11-27T01:20:25.516Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "195.84.49.20" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44181, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "195.84.49.20" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "195.84.49.20", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "29341" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SNXCUmcBTFzn_XoLvLq2", + "source": { + "@timestamp": "2018-11-27T01:22:32.268Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32248" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186407, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SdXCUmcBTFzn_XoLvLq2", + "source": { + "@timestamp": "2018-11-27T01:22:32.269Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186408, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32248", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "StXCUmcBTFzn_XoLvLq2", + "source": { + "@timestamp": "2018-11-27T01:22:32.300Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186409, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "107.170.65.109" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32248", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "c9XCUmcBTFzn_XoL-sCa", + "source": { + "@timestamp": "2018-11-27T01:22:48.071Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "490", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "68.183.62.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "68.183.62.109", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 192506, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dNXCUmcBTFzn_XoL-sCa", + "source": { + "@timestamp": "2018-11-27T01:22:48.073Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "68.183.62.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 192507, + "result": "fail" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "490", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "68.183.62.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ddXCUmcBTFzn_XoL-sCa", + "source": { + "@timestamp": "2018-11-27T01:22:48.104Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "490" + }, + "source": { + "ip": "68.183.62.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "68.183.62.109", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "68.183.62.109" + } + }, + "sequence": 192508, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "stXDUmcBTFzn_XoLwdCO", + "source": { + "@timestamp": "2018-11-27T01:23:39.044Z", + "process": { + "pid": "502", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "80.127.254.119" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "auditd": { + "sequence": 192511, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "80.127.254.119" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "s9XDUmcBTFzn_XoLwdCO", + "source": { + "@timestamp": "2018-11-27T01:23:39.045Z", + "process": { + "pid": "502", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "80.127.254.119" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "sequence": 192512, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "80.127.254.119", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "tNXDUmcBTFzn_XoLwdCO", + "source": { + "@timestamp": "2018-11-27T01:23:39.260Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "502", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "80.127.254.119" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "80.127.254.119" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "80.127.254.119", + "type": "user-session" + } + }, + "sequence": 192513, + "result": "fail" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TtXDUmcBTFzn_XoLkcxS", + "source": { + "@timestamp": "2018-11-27T01:23:26.696Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32251", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "93.104.213.19" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186410, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "93.104.213.19", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "T9XDUmcBTFzn_XoLkcxS", + "source": { + "@timestamp": "2018-11-27T01:23:26.697Z", + "source": { + "ip": "93.104.213.19" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "93.104.213.19", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186411, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32251", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "UNXDUmcBTFzn_XoLkcxS", + "source": { + "@timestamp": "2018-11-27T01:23:26.812Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32251", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "93.104.213.19" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "sequence": 186412, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "93.104.213.19", + "terminal": "ssh" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "93.104.213.19", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ctXCUmcBTFzn_XoL3b2F", + "source": { + "@timestamp": "2018-11-27T01:22:40.662Z", + "source": { + "ip": "185.238.72.255" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "sequence": 43164, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "185.238.72.255", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12678", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "c9XCUmcBTFzn_XoL3b2F", + "source": { + "@timestamp": "2018-11-27T01:22:40.662Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12678", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.238.72.255" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "185.238.72.255", + "type": "user-session" + } + }, + "sequence": 43165, + "result": "fail" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dNXCUmcBTFzn_XoL3b2F", + "source": { + "@timestamp": "2018-11-27T01:22:40.794Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12678" + }, + "source": { + "ip": "185.238.72.255" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "185.238.72.255", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "185.238.72.255", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43166, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SNXDUmcBTFzn_XoLtc-O", + "source": { + "@timestamp": "2018-11-27T01:23:35.972Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32253", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186413, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SdXDUmcBTFzn_XoLtc-O", + "source": { + "@timestamp": "2018-11-27T01:23:35.973Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32253", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 186414, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "StXDUmcBTFzn_XoLtc-O", + "source": { + "@timestamp": "2018-11-27T01:23:36.003Z", + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32253", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.65.109", + "terminal": "ssh" + }, + "summary": { + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 186415, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CNXDUmcBTFzn_XoLps53", + "source": { + "@timestamp": "2018-11-27T01:23:32.109Z", + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "125.227.77.88" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "125.227.77.88" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "125.227.77.88", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 184346 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "25735", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HNXDUmcBTFzn_XoLp84D", + "source": { + "@timestamp": "2018-11-27T01:23:32.249Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "500", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "142.93.109.33" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "142.93.109.33", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "142.93.109.33", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192510, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rdXDUmcBTFzn_XoLZcgh", + "source": { + "@timestamp": "2018-11-27T01:23:15.383Z", + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "25733", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "125.227.77.88" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "125.227.77.88", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "125.227.77.88", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 184345, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "v9XDUmcBTFzn_XoLIMO9", + "source": { + "@timestamp": "2018-11-27T01:22:57.875Z", + "process": { + "pid": "497", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "94.16.115.155" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "94.16.115.155" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "94.16.115.155", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192509, + "result": "fail" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ndXDUmcBTFzn_XoL69Tr", + "source": { + "@timestamp": "2018-11-27T01:23:49.884Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "147.229.176.122" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "147.229.176.122", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43167, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12686" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ntXDUmcBTFzn_XoL69Tr", + "source": { + "@timestamp": "2018-11-27T01:23:49.884Z", + "source": { + "ip": "147.229.176.122" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "147.229.176.122", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 43168 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12686" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "n9XDUmcBTFzn_XoL69Tr", + "source": { + "@timestamp": "2018-11-27T01:23:50.008Z", + "process": { + "pid": "12686", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "147.229.176.122" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "ssh", + "secondary": "147.229.176.122", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 43169, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "147.229.176.122", + "terminal": "ssh" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CNXDUmcBTFzn_XoL99V8", + "source": { + "@timestamp": "2018-11-27T01:23:52.849Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25737" + }, + "source": { + "ip": "125.227.77.88" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "125.227.77.88" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184347, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CdXDUmcBTFzn_XoL99V8", + "source": { + "@timestamp": "2018-11-27T01:23:52.850Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25737" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "125.227.77.88" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "125.227.77.88", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 184348 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CtXDUmcBTFzn_XoL99V8", + "source": { + "@timestamp": "2018-11-27T01:23:53.128Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "125.227.77.88", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "secondary": "125.227.77.88", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 184349 + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "25737", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "125.227.77.88" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "9dXFUmcBTFzn_XoLyvxi", + "source": { + "@timestamp": "2018-11-27T01:25:52.376Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32272" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186422, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "9tXFUmcBTFzn_XoLyvxi", + "source": { + "@timestamp": "2018-11-27T01:25:52.377Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + }, + "sequence": 186423, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32272", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "99XFUmcBTFzn_XoLyvxi", + "source": { + "@timestamp": "2018-11-27T01:25:52.407Z", + "process": { + "pid": "32272", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186424, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.65.109", + "terminal": "ssh" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "aNXFUmcBTFzn_XoLzv1N", + "source": { + "@timestamp": "2018-11-27T01:25:53.380Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "524", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.236.181.158" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "104.236.181.158", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192520, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "adXFUmcBTFzn_XoLzv1N", + "source": { + "@timestamp": "2018-11-27T01:25:53.381Z", + "process": { + "pid": "524", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.236.181.158" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192521, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "104.236.181.158", + "type": "user-session", + "primary": "sshd" + } + } + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "atXFUmcBTFzn_XoLzv1N", + "source": { + "@timestamp": "2018-11-27T01:25:53.425Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "104.236.181.158" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "104.236.181.158" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192522, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "524", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.236.181.158" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "q9XDUmcBTFzn_XoL2tJr", + "source": { + "@timestamp": "2018-11-27T01:23:45.409Z", + "process": { + "pid": "19632", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "46.101.192.45" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "46.101.192.45", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 142336, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rNXDUmcBTFzn_XoL2tJr", + "source": { + "@timestamp": "2018-11-27T01:23:45.410Z", + "source": { + "ip": "46.101.192.45" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "46.101.192.45" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142337, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "process": { + "pid": "19632", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rdXDUmcBTFzn_XoL2tJr", + "source": { + "@timestamp": "2018-11-27T01:23:45.519Z", + "auditd": { + "sequence": 142338, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "46.101.192.45", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "46.101.192.45", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19632" + }, + "source": { + "ip": "46.101.192.45" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "kNbGUmcBTFzn_XoLcgv7", + "source": { + "@timestamp": "2018-11-27T01:26:35.537Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "25757", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "167.114.153.36" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184350, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "167.114.153.36", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "kdbGUmcBTFzn_XoLcgv7", + "source": { + "@timestamp": "2018-11-27T01:26:35.538Z", + "source": { + "ip": "167.114.153.36" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "167.114.153.36", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184351, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25757" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ktbGUmcBTFzn_XoLcgv7", + "source": { + "@timestamp": "2018-11-27T01:26:35.581Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "167.114.153.36" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "167.114.153.36", + "type": "user-session" + } + }, + "sequence": 184352 + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25757" + }, + "source": { + "ip": "167.114.153.36" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YNXEUmcBTFzn_XoLu-bL", + "source": { + "@timestamp": "2018-11-27T01:24:43.105Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32262", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186416, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YdXEUmcBTFzn_XoLu-bL", + "source": { + "@timestamp": "2018-11-27T01:24:43.106Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186417, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32262" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YtXEUmcBTFzn_XoLu-bL", + "source": { + "@timestamp": "2018-11-27T01:24:43.136Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32262" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.65.109", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186418, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6dXFUmcBTFzn_XoLNvCh", + "source": { + "@timestamp": "2018-11-27T01:25:14.551Z", + "auditd": { + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "34.197.73.243", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186419, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32269", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "34.197.73.243" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6tXFUmcBTFzn_XoLNvCh", + "source": { + "@timestamp": "2018-11-27T01:25:14.552Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32269", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "34.197.73.243" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "34.197.73.243" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186420, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "69XFUmcBTFzn_XoLNvCh", + "source": { + "@timestamp": "2018-11-27T01:25:14.587Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32269", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "34.197.73.243" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "34.197.73.243", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "34.197.73.243", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 186421, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "WtXEUmcBTFzn_XoLA9aC", + "source": { + "@timestamp": "2018-11-27T01:23:55.928Z", + "auditd": { + "sequence": 192514, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "211.21.65.57", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "504", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "211.21.65.57" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "W9XEUmcBTFzn_XoLA9aC", + "source": { + "@timestamp": "2018-11-27T01:23:55.929Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "504" + }, + "source": { + "ip": "211.21.65.57" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192515, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "211.21.65.57", + "type": "user-session" + } + } + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "XNXEUmcBTFzn_XoLA9aC", + "source": { + "@timestamp": "2018-11-27T01:23:56.099Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "211.21.65.57" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192516, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "211.21.65.57" + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "504", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "211.21.65.57" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sNXEUmcBTFzn_XoLbd__", + "source": { + "@timestamp": "2018-11-27T01:24:23.144Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "515", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "54.254.52.72" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "54.254.52.72", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192517, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sdXEUmcBTFzn_XoLbd__", + "source": { + "@timestamp": "2018-11-27T01:24:23.145Z", + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "54.254.52.72", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192518, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "515", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "54.254.52.72" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "stXEUmcBTFzn_XoLbd__", + "source": { + "@timestamp": "2018-11-27T01:24:23.339Z", + "auditd": { + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "54.254.52.72" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "54.254.52.72" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192519, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "515", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "54.254.52.72" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "PtXFUmcBTFzn_XoLg_d5", + "source": { + "@timestamp": "2018-11-27T01:25:34.159Z", + "source": { + "ip": "192.240.119.252" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "hostname": "192.240.119.252", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "192.240.119.252" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 44182, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "29443", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2NbIUmcBTFzn_XoLSjPA", + "source": { + "@timestamp": "2018-11-27T01:28:36.309Z", + "file": { + "size": 0, + "group": "root", + "path": "/etc/sed8B6Ati", + "ctime": "2018-11-27T01:28:36.306Z", + "uid": 0, + "gid": 0, + "inode": "332", + "mode": "0000", + "owner": "root", + "mtime": "2018-11-27T01:28:36.306Z", + "type": "file" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "hash": { + "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709" + }, + "event": { + "module": "file_integrity", + "action": [ + "created" + ] + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2dbIUmcBTFzn_XoLSjPA", + "source": { + "@timestamp": "2018-11-27T01:28:36.311Z", + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "action": [ + "updated" + ], + "module": "file_integrity" + }, + "file": { + "ctime": "2018-11-27T01:28:36.306Z", + "mtime": "2018-11-27T01:28:36.306Z", + "owner": "root", + "path": "/etc/sed8B6Ati", + "size": 21, + "type": "file", + "uid": 0, + "gid": 0, + "inode": "332", + "mode": "0000", + "group": "root" + }, + "hash": { + "sha1": "302493715263b503309437954b46d73fee714260" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2tbIUmcBTFzn_XoLSjPA", + "source": { + "@timestamp": "2018-11-27T01:28:36.312Z", + "event": { + "module": "file_integrity", + "action": [ + "updated" + ] + }, + "file": { + "path": "/etc/sed8B6Ati" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "29bIUmcBTFzn_XoLSjPA", + "source": { + "@timestamp": "2018-11-27T01:28:36.314Z", + "event": { + "module": "file_integrity", + "action": [ + "moved" + ] + }, + "file": { + "path": "/etc/sed8B6Ati" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3NbIUmcBTFzn_XoLSjPA", + "source": { + "@timestamp": "2018-11-27T01:28:36.315Z", + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "action": [ + "created" + ], + "module": "file_integrity" + }, + "file": { + "size": 420, + "type": "file", + "uid": 0, + "inode": "332", + "ctime": "2018-11-27T01:28:36.306Z", + "mode": "0644", + "path": "/etc/hosts", + "mtime": "2018-11-27T01:28:36.306Z", + "owner": "root", + "gid": 0, + "group": "root" + }, + "hash": { + "sha1": "3ecab8f840eff15248fdb68f4cc7c3d0d9971476" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3dbIUmcBTFzn_XoLSjPA", + "source": { + "@timestamp": "2018-11-27T01:28:36.410Z", + "event": { + "category": "system-services", + "type": "service_stop", + "action": "stopped-service", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "1", + "name": "systemd", + "exe": "/lib/systemd/systemd" + }, + "auditd": { + "session": "unset", + "data": { + "unit": "rsyslog" + }, + "summary": { + "object": { + "type": "service", + "primary": "rsyslog" + }, + "how": "/lib/systemd/systemd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 44186, + "result": "success" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3tbIUmcBTFzn_XoLSjPA", + "source": { + "@timestamp": "2018-11-27T01:28:36.470Z", + "process": { + "exe": "/lib/systemd/systemd", + "pid": "1", + "name": "systemd" + }, + "auditd": { + "data": { + "unit": "rsyslog" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "service", + "primary": "rsyslog" + }, + "how": "/lib/systemd/systemd" + }, + "sequence": 44187, + "result": "success", + "session": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "type": "service_start", + "action": "started-service", + "module": "auditd", + "category": "system-services" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "MNbHUmcBTFzn_XoLFxpi", + "source": { + "@timestamp": "2018-11-27T01:27:17.624Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "25765", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "59.124.152.146" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "59.124.152.146", + "type": "user-session" + } + }, + "sequence": 184353, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "MdbHUmcBTFzn_XoLFxpi", + "source": { + "@timestamp": "2018-11-27T01:27:17.625Z", + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "25765", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "59.124.152.146" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184354, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "59.124.152.146" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "MtbHUmcBTFzn_XoLFxpi", + "source": { + "@timestamp": "2018-11-27T01:27:17.794Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184355, + "result": "fail", + "session": "unset", + "data": { + "hostname": "59.124.152.146", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "59.124.152.146", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25765" + }, + "source": { + "ip": "59.124.152.146" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "M9bHUmcBTFzn_XoLFxqn", + "source": { + "@timestamp": "2018-11-27T01:27:17.693Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "167.99.171.14", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192523 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "532", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "167.99.171.14" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NNbHUmcBTFzn_XoLFxqn", + "source": { + "@timestamp": "2018-11-27T01:27:17.695Z", + "source": { + "ip": "167.99.171.14" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "167.99.171.14", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 192524, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "532" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NdbHUmcBTFzn_XoLFxqn", + "source": { + "@timestamp": "2018-11-27T01:27:17.735Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "532" + }, + "source": { + "ip": "167.99.171.14" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192525, + "result": "fail", + "session": "unset", + "data": { + "hostname": "167.99.171.14", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "167.99.171.14", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3dbHUmcBTFzn_XoLPR0X", + "source": { + "@timestamp": "2018-11-27T01:27:27.266Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19657", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "139.59.130.2" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "139.59.130.2", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142339 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3tbHUmcBTFzn_XoLPR0X", + "source": { + "@timestamp": "2018-11-27T01:27:27.267Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "19657", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "139.59.130.2" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "139.59.130.2", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 142340, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "39bHUmcBTFzn_XoLPR0X", + "source": { + "@timestamp": "2018-11-27T01:27:27.376Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "139.59.130.2", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "139.59.130.2", + "type": "user-session" + } + }, + "sequence": 142341 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19657", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "139.59.130.2" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "mNbIUmcBTFzn_XoLFi9i", + "source": { + "@timestamp": "2018-11-27T01:28:22.881Z", + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "25773", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.139.20.56" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "37.139.20.56" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 184356, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "mdbIUmcBTFzn_XoLFi9i", + "source": { + "@timestamp": "2018-11-27T01:28:22.883Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "37.139.20.56", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184357 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "25773", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "37.139.20.56" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "mtbIUmcBTFzn_XoLFi9i", + "source": { + "@timestamp": "2018-11-27T01:28:22.989Z", + "source": { + "ip": "37.139.20.56" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "37.139.20.56", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "37.139.20.56" + } + }, + "sequence": 184358, + "result": "fail" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "25773", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0NbHUmcBTFzn_XoL7Stw", + "source": { + "@timestamp": "2018-11-27T01:28:12.420Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32287", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186428, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0dbHUmcBTFzn_XoL7Stw", + "source": { + "@timestamp": "2018-11-27T01:28:12.422Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32287", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186429, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0tbHUmcBTFzn_XoL7Stw", + "source": { + "@timestamp": "2018-11-27T01:28:12.453Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "107.170.65.109" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186430, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32287" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ItbIUmcBTFzn_XoLqjzc", + "source": { + "@timestamp": "2018-11-27T01:29:00.914Z", + "process": { + "pid": "545", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "209.97.173.192" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "209.97.173.192", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 192526 + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "I9bIUmcBTFzn_XoLqjzc", + "source": { + "@timestamp": "2018-11-27T01:29:00.915Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "545" + }, + "source": { + "ip": "209.97.173.192" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "209.97.173.192" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 192527, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JNbIUmcBTFzn_XoLqjzc", + "source": { + "@timestamp": "2018-11-27T01:29:01.108Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "545", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "209.97.173.192" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192528, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "209.97.173.192" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "209.97.173.192", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ONbGUmcBTFzn_XoL2xQn", + "source": { + "@timestamp": "2018-11-27T01:27:02.205Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32279", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186425, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "OdbGUmcBTFzn_XoL2xQn", + "source": { + "@timestamp": "2018-11-27T01:27:02.206Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186426, + "result": "fail" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32279", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "OtbGUmcBTFzn_XoL2xQn", + "source": { + "@timestamp": "2018-11-27T01:27:02.238Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32279", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.65.109", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186427 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ltbHUmcBTFzn_XoLWR9W", + "source": { + "@timestamp": "2018-11-27T01:27:34.501Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "29478" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "46.105.89.195" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "46.105.89.195" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 44183, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "l9bHUmcBTFzn_XoLWR9W", + "source": { + "@timestamp": "2018-11-27T01:27:34.501Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "46.105.89.195", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44184 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "29478", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.105.89.195" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "mNbHUmcBTFzn_XoLWR9W", + "source": { + "@timestamp": "2018-11-27T01:27:34.613Z", + "auditd": { + "session": "unset", + "data": { + "hostname": "46.105.89.195", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "46.105.89.195", + "type": "user-session" + } + }, + "sequence": 44185, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "29478" + }, + "source": { + "ip": "46.105.89.195" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QtbIUmcBTFzn_XoLVjVA", + "source": { + "@timestamp": "2018-11-27T01:28:39.253Z", + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "sequence": 43170, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "51.255.34.233", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12716" + }, + "source": { + "ip": "51.255.34.233" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Q9bIUmcBTFzn_XoLVjVA", + "source": { + "@timestamp": "2018-11-27T01:28:39.253Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12716" + }, + "source": { + "ip": "51.255.34.233" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "51.255.34.233", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 43171 + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "RNbIUmcBTFzn_XoLVjVA", + "source": { + "@timestamp": "2018-11-27T01:28:39.361Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12716", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.255.34.233" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "51.255.34.233", + "type": "user-session" + } + }, + "sequence": 43172, + "result": "fail", + "session": "unset", + "data": { + "hostname": "51.255.34.233", + "terminal": "ssh", + "op": "PAM:bad_ident" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8tfRUmcBTFzn_XoL1ASG", + "source": { + "@timestamp": "2018-11-27T01:39:01.401Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12782" + }, + "source": { + "ip": "138.68.150.115" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "138.68.150.115", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "138.68.150.115", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 43186, + "result": "fail", + "session": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "S9fRUmcBTFzn_XoL1gUs", + "source": { + "@timestamp": "2018-11-27T01:39:01.825Z", + "process": { + "pid": "25839", + "exe": "/usr/sbin/cron" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "sequence": 184368, + "result": "success", + "session": "unset", + "data": { + "op": "PAM:accounting", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "event": { + "type": "user_acct", + "action": "was-authorized", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TNfRUmcBTFzn_XoL1gUs", + "source": { + "@timestamp": "2018-11-27T01:39:01.826Z", + "auditd": { + "session": "unset", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:setcred" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184369, + "result": "success" + }, + "event": { + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "25839" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TdfRUmcBTFzn_XoL1gUs", + "source": { + "@timestamp": "2018-11-27T01:39:01.828Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_start", + "action": "started-session" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "25839", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 184371, + "result": "success", + "session": "9859", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:session_open" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TtfRUmcBTFzn_XoL1gUs", + "source": { + "@timestamp": "2018-11-27T01:39:01.923Z", + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "25839" + }, + "auditd": { + "sequence": 184372, + "result": "success", + "session": "9859", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:setcred" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "T9fRUmcBTFzn_XoL1gUs", + "source": { + "@timestamp": "2018-11-27T01:39:01.924Z", + "process": { + "pid": "25839", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 184373, + "result": "success", + "session": "9859", + "data": { + "acct": "root", + "op": "PAM:session_close", + "terminal": "cron" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "UdfRUmcBTFzn_XoL1gXc", + "source": { + "@timestamp": "2018-11-27T01:39:02.001Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_acct", + "action": "was-authorized" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "608" + }, + "auditd": { + "sequence": 192547, + "result": "success", + "session": "unset", + "data": { + "acct": "root", + "op": "PAM:accounting", + "terminal": "cron" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "unset" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "UtfRUmcBTFzn_XoL1gXc", + "source": { + "@timestamp": "2018-11-27T01:39:02.001Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "608" + }, + "auditd": { + "sequence": 192548, + "result": "success", + "session": "unset", + "data": { + "op": "PAM:setcred", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "acquired-credentials", + "module": "auditd", + "category": "user-login", + "type": "cred_acq" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "U9fRUmcBTFzn_XoL1gXc", + "source": { + "@timestamp": "2018-11-27T01:39:02.003Z", + "auditd": { + "result": "success", + "session": "9863", + "data": { + "terminal": "cron", + "op": "PAM:session_open", + "acct": "root" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + } + }, + "sequence": 192550 + }, + "event": { + "action": "started-session", + "module": "auditd", + "category": "user-login", + "type": "user_start" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "608" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VNfRUmcBTFzn_XoL1gXc", + "source": { + "@timestamp": "2018-11-27T01:39:02.100Z", + "process": { + "pid": "608", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "result": "success", + "session": "9863", + "data": { + "op": "PAM:setcred", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 192551 + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "disposed-credentials", + "module": "auditd", + "category": "user-login", + "type": "cred_disp" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VdfRUmcBTFzn_XoL1gXc", + "source": { + "@timestamp": "2018-11-27T01:39:02.101Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "608", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 192552, + "result": "success", + "session": "9863", + "data": { + "op": "PAM:session_close", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KdbRUmcBTFzn_XoLPPiy", + "source": { + "@timestamp": "2018-11-27T01:38:22.535Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19718" + }, + "source": { + "ip": "207.154.201.218" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "sequence": 142346, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "207.154.201.218" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KtbRUmcBTFzn_XoLPPiy", + "source": { + "@timestamp": "2018-11-27T01:38:22.537Z", + "process": { + "pid": "19718", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "207.154.201.218" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142347, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "207.154.201.218", + "type": "user-session" + } + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "K9bRUmcBTFzn_XoLPPiy", + "source": { + "@timestamp": "2018-11-27T01:38:22.645Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19718" + }, + "source": { + "ip": "207.154.201.218" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142348, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "207.154.201.218" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "207.154.201.218", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GdfTUmcBTFzn_XoLdSoA", + "source": { + "@timestamp": "2018-11-27T01:40:48.022Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19732", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "188.226.187.115" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "188.226.187.115", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142349, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GtfTUmcBTFzn_XoLdSoA", + "source": { + "@timestamp": "2018-11-27T01:40:48.024Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "sequence": 142350, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "188.226.187.115", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19732", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "188.226.187.115" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "G9fTUmcBTFzn_XoLdSoA", + "source": { + "@timestamp": "2018-11-27T01:40:48.126Z", + "source": { + "ip": "188.226.187.115" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "188.226.187.115" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "188.226.187.115", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142351, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19732", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "jdfTUmcBTFzn_XoLsi5i", + "source": { + "@timestamp": "2018-11-27T01:41:03.736Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32370" + }, + "source": { + "ip": "82.200.205.71" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "82.200.205.71", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 186473, + "result": "fail" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "jtfTUmcBTFzn_XoLsi5i", + "source": { + "@timestamp": "2018-11-27T01:41:03.737Z", + "source": { + "ip": "82.200.205.71" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "82.200.205.71" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186474, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32370", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "j9fTUmcBTFzn_XoLsi5i", + "source": { + "@timestamp": "2018-11-27T01:41:03.993Z", + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "82.200.205.71" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "82.200.205.71" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186475, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32370", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "82.200.205.71" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "a9bRUmcBTFzn_XoLcPxx", + "source": { + "@timestamp": "2018-11-27T01:38:35.782Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186464 + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32356", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "bNbRUmcBTFzn_XoLcPxx", + "source": { + "@timestamp": "2018-11-27T01:38:35.783Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32356" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 186465 + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "bdbRUmcBTFzn_XoLcPxx", + "source": { + "@timestamp": "2018-11-27T01:38:35.814Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32356", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "107.170.65.109" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186466, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2dfSUmcBTFzn_XoLXhCA", + "source": { + "@timestamp": "2018-11-27T01:39:36.720Z", + "auditd": { + "sequence": 43187, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "89.221.217.8", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12790", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "89.221.217.8" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2tfSUmcBTFzn_XoLXhCA", + "source": { + "@timestamp": "2018-11-27T01:39:36.724Z", + "source": { + "ip": "89.221.217.8" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43188, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "89.221.217.8", + "type": "user-session", + "primary": "sshd" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12790", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "29fSUmcBTFzn_XoLXhCA", + "source": { + "@timestamp": "2018-11-27T01:39:36.852Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "89.221.217.8", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "89.221.217.8", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43189, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12790", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "89.221.217.8" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "adfSUmcBTFzn_XoLgRS2", + "source": { + "@timestamp": "2018-11-27T01:39:45.740Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32360", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "auditd": { + "sequence": 186467, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "atfSUmcBTFzn_XoLgRS2", + "source": { + "@timestamp": "2018-11-27T01:39:45.741Z", + "process": { + "pid": "32360", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186468, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "a9fSUmcBTFzn_XoLgRS2", + "source": { + "@timestamp": "2018-11-27T01:39:45.771Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.65.109", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186469, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32360", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FdfTUmcBTFzn_XoLmy0i", + "source": { + "@timestamp": "2018-11-27T01:40:57.784Z", + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32368", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186470, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FtfTUmcBTFzn_XoLmy0i", + "source": { + "@timestamp": "2018-11-27T01:40:57.785Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186471 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32368", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "F9fTUmcBTFzn_XoLmy0i", + "source": { + "@timestamp": "2018-11-27T01:40:57.815Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "107.170.65.109" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186472, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32368" + }, + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rNfUUmcBTFzn_XoLBTW-", + "source": { + "@timestamp": "2018-11-27T01:41:25.073Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12798", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.131.37.34" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43190, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "104.131.37.34", + "type": "user-session" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rdfUUmcBTFzn_XoLBTW-", + "source": { + "@timestamp": "2018-11-27T01:41:25.073Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12798", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.131.37.34" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "sequence": 43191, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "104.131.37.34", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rtfUUmcBTFzn_XoLBTW-", + "source": { + "@timestamp": "2018-11-27T01:41:25.105Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12798" + }, + "source": { + "ip": "104.131.37.34" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43192, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "104.131.37.34" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "104.131.37.34", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TNfWUmcBTFzn_XoLkW2H", + "source": { + "@timestamp": "2018-11-27T01:44:11.932Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "128.199.106.169" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "128.199.106.169", + "type": "user-session" + } + }, + "sequence": 186485, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32391", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TdfWUmcBTFzn_XoLkW2H", + "source": { + "@timestamp": "2018-11-27T01:44:11.934Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32391", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.199.106.169" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "128.199.106.169", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186486 + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TtfWUmcBTFzn_XoLkW2H", + "source": { + "@timestamp": "2018-11-27T01:44:12.126Z", + "process": { + "pid": "32391", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.199.106.169" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "data": { + "terminal": "ssh", + "hostname": "128.199.106.169", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "128.199.106.169", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186487, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CtfWUmcBTFzn_XoLl27w", + "source": { + "@timestamp": "2018-11-27T01:44:13.574Z", + "source": { + "ip": "45.122.222.253" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "45.122.222.253", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 142361 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "19759", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "C9fWUmcBTFzn_XoLl27w", + "source": { + "@timestamp": "2018-11-27T01:44:13.575Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19759", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "45.122.222.253" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142362, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "45.122.222.253" + } + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "DNfWUmcBTFzn_XoLl27w", + "source": { + "@timestamp": "2018-11-27T01:44:13.839Z", + "source": { + "ip": "45.122.222.253" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "hostname": "45.122.222.253", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "45.122.222.253" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 142363, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19759", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "utfYUmcBTFzn_XoLQpK3", + "source": { + "@timestamp": "2018-11-27T01:46:02.828Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19772" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "151.203.70.218" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "151.203.70.218", + "type": "user-session" + } + }, + "sequence": 142364, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "u9fYUmcBTFzn_XoLQpK3", + "source": { + "@timestamp": "2018-11-27T01:46:02.829Z", + "source": { + "ip": "151.203.70.218" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142365, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "151.203.70.218" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19772" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "vNfYUmcBTFzn_XoLQpK3", + "source": { + "@timestamp": "2018-11-27T01:46:02.868Z", + "source": { + "ip": "151.203.70.218" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "151.203.70.218" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142366, + "result": "fail", + "session": "unset", + "data": { + "hostname": "151.203.70.218", + "terminal": "ssh", + "op": "PAM:bad_ident" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19772", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SdfYUmcBTFzn_XoLRpPT", + "source": { + "@timestamp": "2018-11-27T01:46:03.873Z", + "process": { + "pid": "12823", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "152.115.61.52" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43193, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "152.115.61.52", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "StfYUmcBTFzn_XoLRpPT", + "source": { + "@timestamp": "2018-11-27T01:46:03.873Z", + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "152.115.61.52", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 43194, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12823", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "152.115.61.52" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "S9fYUmcBTFzn_XoLRpPT", + "source": { + "@timestamp": "2018-11-27T01:46:04.009Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12823", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "152.115.61.52" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "152.115.61.52", + "type": "user-session", + "primary": "ssh" + } + }, + "sequence": 43195, + "result": "fail", + "session": "unset", + "data": { + "hostname": "152.115.61.52", + "op": "PAM:bad_ident", + "terminal": "ssh" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "adfYUmcBTFzn_XoLXJVb", + "source": { + "@timestamp": "2018-11-27T01:46:09.392Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32410" + }, + "source": { + "ip": "106.51.66.214" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186494, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "106.51.66.214", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "atfYUmcBTFzn_XoLXJVb", + "source": { + "@timestamp": "2018-11-27T01:46:09.394Z", + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "106.51.66.214", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 186495, + "result": "fail", + "session": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32410", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "106.51.66.214" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "a9fYUmcBTFzn_XoLXJVb", + "source": { + "@timestamp": "2018-11-27T01:46:09.624Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32410" + }, + "source": { + "ip": "106.51.66.214" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186496, + "result": "fail", + "session": "unset", + "data": { + "hostname": "106.51.66.214", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "106.51.66.214", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "y9fYUmcBTFzn_XoLZZX6", + "source": { + "@timestamp": "2018-11-27T01:46:11.847Z", + "source": { + "ip": "92.86.47.26" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "92.86.47.26" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192553, + "result": "fail" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "700", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "zNfYUmcBTFzn_XoLZZX6", + "source": { + "@timestamp": "2018-11-27T01:46:11.848Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "92.86.47.26", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192554 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "700", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "92.86.47.26" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "zdfYUmcBTFzn_XoLZZX6", + "source": { + "@timestamp": "2018-11-27T01:46:11.996Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "700", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "92.86.47.26" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192555, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "92.86.47.26", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "92.86.47.26", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JNfWUmcBTFzn_XoLc2tJ", + "source": { + "@timestamp": "2018-11-27T01:44:04.191Z", + "process": { + "pid": "19756", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "177.137.205.150" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "177.137.205.150", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142358 + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JdfWUmcBTFzn_XoLc2tJ", + "source": { + "@timestamp": "2018-11-27T01:44:04.192Z", + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "177.137.205.150", + "type": "user-session" + } + }, + "sequence": 142359, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19756" + }, + "source": { + "ip": "177.137.205.150" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JtfWUmcBTFzn_XoLc2tJ", + "source": { + "@timestamp": "2018-11-27T01:44:04.375Z", + "process": { + "pid": "19756", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "177.137.205.150" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "177.137.205.150", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "177.137.205.150" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142360, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "atfYUmcBTFzn_XoLgpgd", + "source": { + "@timestamp": "2018-11-27T01:46:19.059Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19774", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "140.143.190.243" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "sequence": 142367, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "140.143.190.243", + "type": "user-session", + "primary": "sshd" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "a9fYUmcBTFzn_XoLgpgd", + "source": { + "@timestamp": "2018-11-27T01:46:19.060Z", + "process": { + "pid": "19774", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "140.143.190.243" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142368, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "140.143.190.243", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "bNfYUmcBTFzn_XoLgpgd", + "source": { + "@timestamp": "2018-11-27T01:46:19.278Z", + "auditd": { + "sequence": 142369, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "140.143.190.243" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "140.143.190.243", + "type": "user-session" + } + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19774", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "140.143.190.243" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "AtfXUmcBTFzn_XoLaoE9", + "source": { + "@timestamp": "2018-11-27T01:45:07.411Z", + "auditd": { + "sequence": 184386, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "217.19.148.142", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "25932", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "217.19.148.142" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "A9fXUmcBTFzn_XoLaoE9", + "source": { + "@timestamp": "2018-11-27T01:45:07.412Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "25932", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "217.19.148.142" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "217.19.148.142", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184387 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BNfXUmcBTFzn_XoLaoE9", + "source": { + "@timestamp": "2018-11-27T01:45:07.545Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "25932", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "217.19.148.142" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "217.19.148.142" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "217.19.148.142", + "type": "user-session" + } + }, + "sequence": 184388, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "49fWUmcBTFzn_XoL_XYj", + "source": { + "@timestamp": "2018-11-27T01:44:39.480Z", + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186488 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32399", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5NfWUmcBTFzn_XoL_XYj", + "source": { + "@timestamp": "2018-11-27T01:44:39.481Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32399", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186489, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5dfWUmcBTFzn_XoL_XYj", + "source": { + "@timestamp": "2018-11-27T01:44:39.512Z", + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + } + }, + "sequence": 186490, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "107.170.65.109" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32399", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GtfVUmcBTFzn_XoL2l5j", + "source": { + "@timestamp": "2018-11-27T01:43:25.049Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32389", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186482 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "G9fVUmcBTFzn_XoL2l5j", + "source": { + "@timestamp": "2018-11-27T01:43:25.050Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32389" + }, + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186483, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HNfVUmcBTFzn_XoL2l5j", + "source": { + "@timestamp": "2018-11-27T01:43:25.081Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32389", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.65.109", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186484, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ANfYUmcBTFzn_XoLIJDK", + "source": { + "@timestamp": "2018-11-27T01:45:54.144Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32408" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186491, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "AdfYUmcBTFzn_XoLIJDK", + "source": { + "@timestamp": "2018-11-27T01:45:54.146Z", + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32408", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + } + }, + "sequence": 186492, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "AtfYUmcBTFzn_XoLIJDK", + "source": { + "@timestamp": "2018-11-27T01:45:54.176Z", + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "107.170.65.109", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186493, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32408" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "kNjeUmcBTFzn_XoLchqO", + "source": { + "@timestamp": "2018-11-27T01:52:48.274Z", + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "92.222.218.139", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184392, + "result": "fail" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "25980", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "92.222.218.139" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "kdjeUmcBTFzn_XoLchqO", + "source": { + "@timestamp": "2018-11-27T01:52:48.275Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "25980" + }, + "source": { + "ip": "92.222.218.139" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "92.222.218.139" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184393, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ktjeUmcBTFzn_XoLchqO", + "source": { + "@timestamp": "2018-11-27T01:52:48.381Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "25980", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "92.222.218.139" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "92.222.218.139" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "92.222.218.139" + } + }, + "sequence": 184394, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ANjeUmcBTFzn_XoLgBst", + "source": { + "@timestamp": "2018-11-27T01:52:51.775Z", + "source": { + "ip": "174.138.17.18" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "174.138.17.18", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43202, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12866" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "AdjeUmcBTFzn_XoLgBst", + "source": { + "@timestamp": "2018-11-27T01:52:51.775Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12866" + }, + "source": { + "ip": "174.138.17.18" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "174.138.17.18", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 43203, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "AtjeUmcBTFzn_XoLgBst", + "source": { + "@timestamp": "2018-11-27T01:52:51.851Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12868" + }, + "source": { + "ip": "54.38.47.28" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43204, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "54.38.47.28", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "A9jeUmcBTFzn_XoLgBst", + "source": { + "@timestamp": "2018-11-27T01:52:51.851Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12868", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "54.38.47.28" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43205, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "54.38.47.28", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BNjeUmcBTFzn_XoLgBst", + "source": { + "@timestamp": "2018-11-27T01:52:51.963Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12868", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "54.38.47.28" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "54.38.47.28" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "54.38.47.28", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 43206, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BdjeUmcBTFzn_XoLgBst", + "source": { + "@timestamp": "2018-11-27T01:52:51.967Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12866", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "174.138.17.18" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "174.138.17.18", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "174.138.17.18", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43207 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "vtjdUmcBTFzn_XoLhQbg", + "source": { + "@timestamp": "2018-11-27T01:51:47.702Z", + "process": { + "pid": "25972", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "201.151.178.139" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184389, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "201.151.178.139", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "v9jdUmcBTFzn_XoLhQbg", + "source": { + "@timestamp": "2018-11-27T01:51:47.704Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "25972", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "201.151.178.139" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "201.151.178.139", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 184390 + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "wNjdUmcBTFzn_XoLhQbg", + "source": { + "@timestamp": "2018-11-27T01:51:47.788Z", + "process": { + "pid": "25972", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "201.151.178.139" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "201.151.178.139", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184391, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "201.151.178.139", + "terminal": "ssh" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "N9jdUmcBTFzn_XoLlgd5", + "source": { + "@timestamp": "2018-11-27T01:51:51.949Z", + "process": { + "pid": "19818", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "121.124.124.73" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "121.124.124.73" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + }, + "sequence": 142389, + "result": "fail" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ONjdUmcBTFzn_XoLlgd5", + "source": { + "@timestamp": "2018-11-27T01:51:51.951Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19818", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "121.124.124.73" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "121.124.124.73", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 142390, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "OdjdUmcBTFzn_XoLlgd5", + "source": { + "@timestamp": "2018-11-27T01:51:52.141Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19818", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "121.124.124.73" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "121.124.124.73" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "121.124.124.73" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142391 + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "EdjfUmcBTFzn_XoLJSnD", + "source": { + "@timestamp": "2018-11-27T01:53:34.169Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19831", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "79.137.64.132" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "79.137.64.132", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142392, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "EtjfUmcBTFzn_XoLJSnD", + "source": { + "@timestamp": "2018-11-27T01:53:34.170Z", + "source": { + "ip": "79.137.64.132" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "79.137.64.132" + } + }, + "sequence": 142393, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "19831", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "E9jfUmcBTFzn_XoLJSnD", + "source": { + "@timestamp": "2018-11-27T01:53:34.276Z", + "source": { + "ip": "79.137.64.132" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "79.137.64.132", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "79.137.64.132", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142394, + "result": "fail" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "19831", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZtjfUmcBTFzn_XoLJila", + "source": { + "@timestamp": "2018-11-27T01:53:34.315Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "161.132.195.76", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 43211 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "12877", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "161.132.195.76" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Z9jfUmcBTFzn_XoLJila", + "source": { + "@timestamp": "2018-11-27T01:53:34.315Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "12877", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "161.132.195.76" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "161.132.195.76", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43212, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "aNjfUmcBTFzn_XoLJila", + "source": { + "@timestamp": "2018-11-27T01:53:34.427Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12877", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "161.132.195.76" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "hostname": "161.132.195.76", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "161.132.195.76", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43213, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Y9jdUmcBTFzn_XoLdARP", + "source": { + "@timestamp": "2018-11-27T01:51:43.201Z", + "auditd": { + "sequence": 43196, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "83.222.240.60" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12856", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "83.222.240.60" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZNjdUmcBTFzn_XoLdARP", + "source": { + "@timestamp": "2018-11-27T01:51:43.205Z", + "source": { + "ip": "83.222.240.60" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43197, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "83.222.240.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12856" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZdjdUmcBTFzn_XoLdARP", + "source": { + "@timestamp": "2018-11-27T01:51:43.309Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43198, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "83.222.240.60" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "83.222.240.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12856", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "83.222.240.60" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "INjdUmcBTFzn_XoLggVd", + "source": { + "@timestamp": "2018-11-27T01:51:46.789Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "secondary": "142.93.210.90", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 44207, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "30014", + "exe": "/usr/sbin/sshd" + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "source": { + "ip": "142.93.210.90" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "IdjdUmcBTFzn_XoLggVd", + "source": { + "@timestamp": "2018-11-27T01:51:46.789Z", + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "30014", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "142.93.210.90" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "142.93.210.90" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44208, + "result": "fail" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ItjdUmcBTFzn_XoLggVd", + "source": { + "@timestamp": "2018-11-27T01:51:47.021Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "142.93.210.90" + } + }, + "sequence": 44209, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "142.93.210.90" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "30014", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "142.93.210.90" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FtjdUmcBTFzn_XoLYAMi", + "source": { + "@timestamp": "2018-11-27T01:51:38.040Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "19814", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "121.124.124.73" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "121.124.124.73", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "121.124.124.73", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142385, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rtjdUmcBTFzn_XoLaAOj", + "source": { + "@timestamp": "2018-11-27T01:51:40.216Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "19816", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "121.124.124.73" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "121.124.124.73", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142386, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + } + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "r9jdUmcBTFzn_XoLaAOj", + "source": { + "@timestamp": "2018-11-27T01:51:40.217Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "121.124.124.73", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142387, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19816", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "121.124.124.73" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sNjdUmcBTFzn_XoLaAOj", + "source": { + "@timestamp": "2018-11-27T01:51:40.395Z", + "auditd": { + "sequence": 142388, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "121.124.124.73" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "121.124.124.73", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19816", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "121.124.124.73" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FtjdUmcBTFzn_XoL0w1m", + "source": { + "@timestamp": "2018-11-27T01:52:07.547Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32446", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186509, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + } + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "F9jdUmcBTFzn_XoL0w1m", + "source": { + "@timestamp": "2018-11-27T01:52:07.548Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186510, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32446", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "GNjdUmcBTFzn_XoL0w1m", + "source": { + "@timestamp": "2018-11-27T01:52:07.578Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32446" + }, + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186511, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "hdjeUmcBTFzn_XoLyiGI", + "source": { + "@timestamp": "2018-11-27T01:53:10.809Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "128.199.128.215" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43208, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12875", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.199.128.215" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "htjeUmcBTFzn_XoLyiGI", + "source": { + "@timestamp": "2018-11-27T01:53:10.813Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12875", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.199.128.215" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "128.199.128.215", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43209, + "result": "fail" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "h9jeUmcBTFzn_XoLyiGI", + "source": { + "@timestamp": "2018-11-27T01:53:11.005Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12875", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.199.128.215" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "ssh", + "secondary": "128.199.128.215", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 43210, + "result": "fail", + "session": "unset", + "data": { + "hostname": "128.199.128.215", + "terminal": "ssh", + "op": "PAM:bad_ident" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "hdjeUmcBTFzn_XoL5SQF", + "source": { + "@timestamp": "2018-11-27T01:53:17.595Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32449", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186512 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "htjeUmcBTFzn_XoL5SQF", + "source": { + "@timestamp": "2018-11-27T01:53:17.596Z", + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186513, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32449" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "h9jeUmcBTFzn_XoL5SQF", + "source": { + "@timestamp": "2018-11-27T01:53:17.627Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32449", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186514, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "107.170.65.109" + } + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ytjdUmcBTFzn_XoL0gs9", + "source": { + "@timestamp": "2018-11-27T01:52:07.159Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "153.19.40.20" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43199, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "12863", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "153.19.40.20" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "y9jdUmcBTFzn_XoL0gs9", + "source": { + "@timestamp": "2018-11-27T01:52:07.159Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12863" + }, + "source": { + "ip": "153.19.40.20" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43200, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "153.19.40.20" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "zNjdUmcBTFzn_XoL0gs9", + "source": { + "@timestamp": "2018-11-27T01:52:07.287Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "153.19.40.20" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "153.19.40.20" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43201, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "12863", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "153.19.40.20" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KNjkUmcBTFzn_XoLfZ-j", + "source": { + "@timestamp": "2018-11-27T01:59:24.344Z", + "process": { + "pid": "783", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "91.134.241.32" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "91.134.241.32" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192562 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KdjkUmcBTFzn_XoLfZ-j", + "source": { + "@timestamp": "2018-11-27T01:59:24.345Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "91.134.241.32", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192563, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "783" + }, + "source": { + "ip": "91.134.241.32" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KtjkUmcBTFzn_XoLfZ-j", + "source": { + "@timestamp": "2018-11-27T01:59:24.452Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "91.134.241.32" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "91.134.241.32", + "terminal": "ssh" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "91.134.241.32", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192564, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "783", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QdjkUmcBTFzn_XoLgZ_0", + "source": { + "@timestamp": "2018-11-27T01:59:25.449Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32500" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186542, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QtjkUmcBTFzn_XoLgZ_0", + "source": { + "@timestamp": "2018-11-27T01:59:25.450Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32500", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186543, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Q9jkUmcBTFzn_XoLgZ_0", + "source": { + "@timestamp": "2018-11-27T01:59:25.481Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186544, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.65.109", + "terminal": "ssh" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32500", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "jdjjUmcBTFzn_XoLToQx", + "source": { + "@timestamp": "2018-11-27T01:58:06.663Z", + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186539, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32492", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "jtjjUmcBTFzn_XoLToQx", + "source": { + "@timestamp": "2018-11-27T01:58:06.664Z", + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32492", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186540, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "j9jjUmcBTFzn_XoLToQx", + "source": { + "@timestamp": "2018-11-27T01:58:06.694Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32492" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186541 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZdjiUmcBTFzn_XoLImvA", + "source": { + "@timestamp": "2018-11-27T01:56:50.005Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186530 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32480", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZtjiUmcBTFzn_XoLImvA", + "source": { + "@timestamp": "2018-11-27T01:56:50.006Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186531, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32480", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Z9jiUmcBTFzn_XoLImvA", + "source": { + "@timestamp": "2018-11-27T01:56:50.037Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32480", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "hostname": "107.170.65.109", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186532, + "result": "fail", + "session": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "etjlUmcBTFzn_XoLHawN", + "source": { + "@timestamp": "2018-11-27T02:00:05.155Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "785" + }, + "source": { + "ip": "212.159.18.107" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192565, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "object": { + "secondary": "212.159.18.107", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "e9jlUmcBTFzn_XoLHawN", + "source": { + "@timestamp": "2018-11-27T02:00:05.156Z", + "process": { + "pid": "785", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "212.159.18.107" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "212.159.18.107", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192566, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "fNjlUmcBTFzn_XoLHawN", + "source": { + "@timestamp": "2018-11-27T02:00:05.265Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "212.159.18.107" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "212.159.18.107", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "212.159.18.107", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192567, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "785", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZtjjUmcBTFzn_XoLIYEi", + "source": { + "@timestamp": "2018-11-27T01:57:55.128Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32490", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "190.153.219.50" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186536, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "190.153.219.50", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Z9jjUmcBTFzn_XoLIYEi", + "source": { + "@timestamp": "2018-11-27T01:57:55.129Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32490", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "190.153.219.50" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "190.153.219.50", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186537, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "aNjjUmcBTFzn_XoLIYEi", + "source": { + "@timestamp": "2018-11-27T01:57:55.284Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "sequence": 186538, + "result": "fail", + "session": "unset", + "data": { + "hostname": "190.153.219.50", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "190.153.219.50", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32490", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "190.153.219.50" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ItjiUmcBTFzn_XoLZXBu", + "source": { + "@timestamp": "2018-11-27T01:57:07.073Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12897", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "151.80.144.39" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "151.80.144.39" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43214, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "I9jiUmcBTFzn_XoLZXBu", + "source": { + "@timestamp": "2018-11-27T01:57:07.073Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12897", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "151.80.144.39" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "151.80.144.39", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43215 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JNjiUmcBTFzn_XoLZXBu", + "source": { + "@timestamp": "2018-11-27T01:57:07.181Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "ssh", + "secondary": "151.80.144.39", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 43216, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "151.80.144.39", + "terminal": "ssh" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12897" + }, + "source": { + "ip": "151.80.144.39" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "1djjUmcBTFzn_XoLD39T", + "source": { + "@timestamp": "2018-11-27T01:57:50.568Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "61.73.98.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186533, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32487", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "61.73.98.60" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "1tjjUmcBTFzn_XoLD39T", + "source": { + "@timestamp": "2018-11-27T01:57:50.570Z", + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32487", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "61.73.98.60" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "61.73.98.60" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186534, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "19jjUmcBTFzn_XoLD39T", + "source": { + "@timestamp": "2018-11-27T01:57:50.730Z", + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32487", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "61.73.98.60" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186535, + "result": "fail", + "session": "unset", + "data": { + "hostname": "61.73.98.60", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "61.73.98.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "c9jiUmcBTFzn_XoL9X2Y", + "source": { + "@timestamp": "2018-11-27T01:57:43.982Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192559, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "193.70.39.84" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "pid": "769", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "193.70.39.84" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dNjiUmcBTFzn_XoL9X2Y", + "source": { + "@timestamp": "2018-11-27T01:57:43.983Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "769" + }, + "source": { + "ip": "193.70.39.84" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "193.70.39.84", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192560, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ddjiUmcBTFzn_XoL9X2Y", + "source": { + "@timestamp": "2018-11-27T01:57:44.094Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "769", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "193.70.39.84" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "193.70.39.84", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "193.70.39.84", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192561, + "result": "fail" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "lNjkUmcBTFzn_XoLRpqM", + "source": { + "@timestamp": "2018-11-27T01:59:10.239Z", + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "104.208.143.92", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44219, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "30166", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.208.143.92" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ldjkUmcBTFzn_XoLRpqM", + "source": { + "@timestamp": "2018-11-27T01:59:10.239Z", + "source": { + "ip": "104.208.143.92" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "104.208.143.92", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 44220, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "30166", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ltjkUmcBTFzn_XoLRpqM", + "source": { + "@timestamp": "2018-11-27T01:59:10.283Z", + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30166" + }, + "source": { + "ip": "104.208.143.92" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44221, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "104.208.143.92" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "104.208.143.92", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NdnsUmcBTFzn_XoLslKD", + "source": { + "@timestamp": "2018-11-27T02:08:22.166Z", + "process": { + "pid": "30352", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "110.36.221.182" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "110.36.221.182", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44231, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NtnsUmcBTFzn_XoLslKD", + "source": { + "@timestamp": "2018-11-27T02:08:22.166Z", + "auditd": { + "sequence": 44232, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "110.36.221.182", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "30352", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "110.36.221.182" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "N9nsUmcBTFzn_XoLslKD", + "source": { + "@timestamp": "2018-11-27T02:08:22.414Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "30352", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "110.36.221.182" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "110.36.221.182", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "110.36.221.182" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44233 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "9tnsUmcBTFzn_XoLt1Lw", + "source": { + "@timestamp": "2018-11-27T02:08:23.554Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30354" + }, + "source": { + "ip": "61.73.98.60" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "sequence": 44234, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "61.73.98.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "99nsUmcBTFzn_XoLt1Lw", + "source": { + "@timestamp": "2018-11-27T02:08:23.554Z", + "source": { + "ip": "61.73.98.60" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "61.73.98.60" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44235 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "30354", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-NnsUmcBTFzn_XoLt1Lw", + "source": { + "@timestamp": "2018-11-27T02:08:23.714Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "61.73.98.60" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "61.73.98.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44236 + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30354" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "61.73.98.60" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "1dnpUmcBTFzn_XoLNAWm", + "source": { + "@timestamp": "2018-11-27T02:04:33.307Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "26060", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "151.80.136.92" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "151.80.136.92", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184405, + "result": "fail" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "1tnpUmcBTFzn_XoLNAWm", + "source": { + "@timestamp": "2018-11-27T02:04:33.309Z", + "source": { + "ip": "151.80.136.92" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184406, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "151.80.136.92", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26060", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "19npUmcBTFzn_XoLNAWm", + "source": { + "@timestamp": "2018-11-27T02:04:33.423Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "151.80.136.92", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "151.80.136.92" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184407, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26060", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "151.80.136.92" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3tnpUmcBTFzn_XoLOwYm", + "source": { + "@timestamp": "2018-11-27T02:04:35.004Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "177.124.89.14", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "177.124.89.14", + "type": "user-session", + "primary": "ssh" + } + }, + "sequence": 184408 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "26062", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "177.124.89.14" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6tnpUmcBTFzn_XoLZAmP", + "source": { + "@timestamp": "2018-11-27T02:04:45.605Z", + "process": { + "pid": "32532", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + } + }, + "sequence": 186557 + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "69npUmcBTFzn_XoLZAmP", + "source": { + "@timestamp": "2018-11-27T02:04:45.606Z", + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186558 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32532" + }, + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7NnpUmcBTFzn_XoLZAmP", + "source": { + "@timestamp": "2018-11-27T02:04:45.638Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32532", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "107.170.65.109" + } + }, + "sequence": 186559, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "107.170.65.109" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FNnsUmcBTFzn_XoLVUul", + "source": { + "@timestamp": "2018-11-27T02:07:58.394Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "19916" + }, + "source": { + "ip": "74.208.43.208" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142410, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "74.208.43.208", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FdnsUmcBTFzn_XoLVUul", + "source": { + "@timestamp": "2018-11-27T02:07:58.395Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19916", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "74.208.43.208" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "74.208.43.208" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142411, + "result": "fail" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FtnsUmcBTFzn_XoLVUul", + "source": { + "@timestamp": "2018-11-27T02:07:58.422Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "process": { + "pid": "19916", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "74.208.43.208" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142412, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "74.208.43.208" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "74.208.43.208", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rtnqUmcBTFzn_XoLniSL", + "source": { + "@timestamp": "2018-11-27T02:06:05.967Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186560, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32540" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "r9nqUmcBTFzn_XoLniSL", + "source": { + "@timestamp": "2018-11-27T02:06:05.968Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186561, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32540", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sNnqUmcBTFzn_XoLniSL", + "source": { + "@timestamp": "2018-11-27T02:06:05.999Z", + "process": { + "pid": "32540", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "107.170.65.109" + } + }, + "sequence": 186562, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KtjoUmcBTFzn_XoLSvJx", + "source": { + "@timestamp": "2018-11-27T02:03:33.383Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26052", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.236.181.158" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184402, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "104.236.181.158", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "K9joUmcBTFzn_XoLSvJx", + "source": { + "@timestamp": "2018-11-27T02:03:33.384Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26052", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.236.181.158" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "104.236.181.158", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184403 + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "LNjoUmcBTFzn_XoLSvJx", + "source": { + "@timestamp": "2018-11-27T02:03:33.426Z", + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "104.236.181.158" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "104.236.181.158" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184404, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "26052" + }, + "source": { + "ip": "104.236.181.158" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "kdnrUmcBTFzn_XoL2j_v", + "source": { + "@timestamp": "2018-11-27T02:07:26.981Z", + "process": { + "pid": "32548", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186563, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ktnrUmcBTFzn_XoL2j_v", + "source": { + "@timestamp": "2018-11-27T02:07:26.982Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186564 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32548", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "k9nrUmcBTFzn_XoL2j_v", + "source": { + "@timestamp": "2018-11-27T02:07:27.012Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186565, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "107.170.65.109" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32548", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ntnpUmcBTFzn_XoLkg3n", + "source": { + "@timestamp": "2018-11-27T02:04:57.466Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "30281", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "89.156.152.134" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44225, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "89.156.152.134", + "type": "user-session", + "primary": "sshd" + } + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "n9npUmcBTFzn_XoLkg3n", + "source": { + "@timestamp": "2018-11-27T02:04:57.466Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30281" + }, + "source": { + "ip": "89.156.152.134" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "89.156.152.134", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44226, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "oNnpUmcBTFzn_XoLkg3n", + "source": { + "@timestamp": "2018-11-27T02:04:57.574Z", + "process": { + "pid": "30281", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "89.156.152.134" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44227, + "result": "fail", + "session": "unset", + "data": { + "hostname": "89.156.152.134", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "89.156.152.134" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VdnrUmcBTFzn_XoLLzF2", + "source": { + "@timestamp": "2018-11-27T02:06:43.078Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "30322", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "210.71.197.80" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "210.71.197.80", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44228, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VtnrUmcBTFzn_XoLLzF2", + "source": { + "@timestamp": "2018-11-27T02:06:43.078Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "30322", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "210.71.197.80" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "sequence": 44229, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "210.71.197.80", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "V9nrUmcBTFzn_XoLLzF2", + "source": { + "@timestamp": "2018-11-27T02:06:43.254Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "30322", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "210.71.197.80" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44230, + "result": "fail", + "session": "unset", + "data": { + "hostname": "210.71.197.80", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "210.71.197.80" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8tnwUmcBTFzn_XoLk6fE", + "source": { + "@timestamp": "2018-11-27T02:12:36.443Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "secondary": "37.187.195.209", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 192577 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "916", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.187.195.209" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "89nwUmcBTFzn_XoLk6fE", + "source": { + "@timestamp": "2018-11-27T02:12:36.443Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "37.187.195.209" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192578, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "37.187.195.209", + "type": "user-session" + } + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "916", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "9NnwUmcBTFzn_XoLk6fE", + "source": { + "@timestamp": "2018-11-27T02:12:36.550Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "37.187.195.209" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "37.187.195.209", + "type": "user-session", + "primary": "ssh" + } + }, + "sequence": 192579 + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "916", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.187.195.209" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "D9nwUmcBTFzn_XoLlqgH", + "source": { + "@timestamp": "2018-11-27T02:12:37.021Z", + "source": { + "ip": "51.38.176.147" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184424, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "51.38.176.147", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "26164" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ENnwUmcBTFzn_XoLlqgH", + "source": { + "@timestamp": "2018-11-27T02:12:37.022Z", + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "51.38.176.147", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184425, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26164", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.38.176.147" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "EdnwUmcBTFzn_XoLlqgH", + "source": { + "@timestamp": "2018-11-27T02:12:37.127Z", + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "26164", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.38.176.147" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "51.38.176.147", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184426, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "51.38.176.147" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HNnwUmcBTFzn_XoLl6g8", + "source": { + "@timestamp": "2018-11-27T02:12:37.327Z", + "process": { + "pid": "12992", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "81.174.227.27" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "81.174.227.27", + "type": "user-session" + } + }, + "sequence": 43232, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HdnwUmcBTFzn_XoLl6g8", + "source": { + "@timestamp": "2018-11-27T02:12:37.327Z", + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "81.174.227.27", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43233, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "12992", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "81.174.227.27" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HtnwUmcBTFzn_XoLl6g8", + "source": { + "@timestamp": "2018-11-27T02:12:37.435Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43234, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "81.174.227.27", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "81.174.227.27" + } + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "12992", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "81.174.227.27" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "DdnwUmcBTFzn_XoLRqHL", + "source": { + "@timestamp": "2018-11-27T02:12:16.736Z", + "source": { + "ip": "159.65.225.184" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "159.65.225.184", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44250 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30449" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "DtnwUmcBTFzn_XoLRqHL", + "source": { + "@timestamp": "2018-11-27T02:12:16.736Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30449" + }, + "source": { + "ip": "159.65.225.184" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44249, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "159.65.225.184", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "D9nwUmcBTFzn_XoLRqHL", + "source": { + "@timestamp": "2018-11-27T02:12:16.764Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "30449", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "159.65.225.184" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "sequence": 44251, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "159.65.225.184", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "159.65.225.184", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qtnwUmcBTFzn_XoLUqId", + "source": { + "@timestamp": "2018-11-27T02:12:19.633Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43226, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "185.91.116.197", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12988", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.91.116.197" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "q9nwUmcBTFzn_XoLUqId", + "source": { + "@timestamp": "2018-11-27T02:12:19.633Z", + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "185.91.116.197" + } + }, + "sequence": 43227, + "result": "fail" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "12988", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "185.91.116.197" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rNnwUmcBTFzn_XoLUqId", + "source": { + "@timestamp": "2018-11-27T02:12:19.753Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "185.91.116.197", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "185.91.116.197" + } + }, + "sequence": 43228, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12988" + }, + "source": { + "ip": "185.91.116.197" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6NnwUmcBTFzn_XoLjqfh", + "source": { + "@timestamp": "2018-11-27T02:12:35.140Z", + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26162", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "192.252.209.190" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "192.252.209.190", + "type": "user-session" + } + }, + "sequence": 184421 + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6dnwUmcBTFzn_XoLjqfh", + "source": { + "@timestamp": "2018-11-27T02:12:35.141Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26162", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "192.252.209.190" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "secondary": "192.252.209.190", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 184422, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6tnwUmcBTFzn_XoLjqfh", + "source": { + "@timestamp": "2018-11-27T02:12:35.173Z", + "process": { + "pid": "26162", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "192.252.209.190" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184423, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "192.252.209.190", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "192.252.209.190" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ctnvUmcBTFzn_XoLp5MU", + "source": { + "@timestamp": "2018-11-27T02:11:35.850Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "912", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "105.16.153.210" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "sequence": 192574, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "105.16.153.210", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "c9nvUmcBTFzn_XoLp5MU", + "source": { + "@timestamp": "2018-11-27T02:11:35.851Z", + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "105.16.153.210", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 192575, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "912" + }, + "source": { + "ip": "105.16.153.210" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dNnvUmcBTFzn_XoLp5MU", + "source": { + "@timestamp": "2018-11-27T02:11:36.114Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "105.16.153.210", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192576, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "105.16.153.210", + "terminal": "ssh" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "912" + }, + "source": { + "ip": "105.16.153.210" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2dnvUmcBTFzn_XoLwpV9", + "source": { + "@timestamp": "2018-11-27T02:11:42.866Z", + "process": { + "pid": "19940", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "167.99.212.179" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "167.99.212.179" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142419, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2tnvUmcBTFzn_XoLwpV9", + "source": { + "@timestamp": "2018-11-27T02:11:42.867Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19940", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "167.99.212.179" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "167.99.212.179" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142420 + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "29nvUmcBTFzn_XoLwpV9", + "source": { + "@timestamp": "2018-11-27T02:11:42.971Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19940", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "167.99.212.179" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142421, + "result": "fail", + "session": "unset", + "data": { + "hostname": "167.99.212.179", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "167.99.212.179", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8tnvUmcBTFzn_XoLn5Ih", + "source": { + "@timestamp": "2018-11-27T02:11:33.815Z", + "process": { + "pid": "32575", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186575, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "89nvUmcBTFzn_XoLn5Ih", + "source": { + "@timestamp": "2018-11-27T02:11:33.816Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32575" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186576, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "9NnvUmcBTFzn_XoLn5Ih", + "source": { + "@timestamp": "2018-11-27T02:11:33.846Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32575", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186577, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "107.170.65.109" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + } + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "L9nvUmcBTFzn_XoLVo3n", + "source": { + "@timestamp": "2018-11-27T02:11:15.325Z", + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "67.166.24.55", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186572, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32573", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "67.166.24.55" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "MNnvUmcBTFzn_XoLVo3n", + "source": { + "@timestamp": "2018-11-27T02:11:15.326Z", + "source": { + "ip": "67.166.24.55" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186573, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "67.166.24.55", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32573", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "MdnvUmcBTFzn_XoLVo3n", + "source": { + "@timestamp": "2018-11-27T02:11:15.490Z", + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "67.166.24.55" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186574, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "67.166.24.55", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "67.166.24.55", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32573", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "N9nvUmcBTFzn_XoL2Zh8", + "source": { + "@timestamp": "2018-11-27T02:11:48.750Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30433" + }, + "source": { + "ip": "217.182.55.191" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "217.182.55.191", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + }, + "sequence": 44246, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ONnvUmcBTFzn_XoL2Zh8", + "source": { + "@timestamp": "2018-11-27T02:11:48.750Z", + "source": { + "ip": "217.182.55.191" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "217.182.55.191", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44247 + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "30433", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "OdnvUmcBTFzn_XoL2Zh8", + "source": { + "@timestamp": "2018-11-27T02:11:48.858Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "30433", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "217.182.55.191" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44248, + "result": "fail", + "session": "unset", + "data": { + "hostname": "217.182.55.191", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "217.182.55.191" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QNnwUmcBTFzn_XoLaKRf", + "source": { + "@timestamp": "2018-11-27T02:12:25.330Z", + "source": { + "ip": "94.16.115.155" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "94.16.115.155", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43229, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "12990", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QdnwUmcBTFzn_XoLaKRf", + "source": { + "@timestamp": "2018-11-27T02:12:25.330Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "12990", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "94.16.115.155" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "94.16.115.155", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43230 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "QtnwUmcBTFzn_XoLaKRf", + "source": { + "@timestamp": "2018-11-27T02:12:25.442Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "12990" + }, + "source": { + "ip": "94.16.115.155" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "94.16.115.155" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "94.16.115.155", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43231 + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6dr0UmcBTFzn_XoLnQBb", + "source": { + "@timestamp": "2018-11-27T02:17:01.040Z", + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26196", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184433, + "result": "success", + "session": "unset", + "data": { + "op": "PAM:accounting", + "terminal": "cron", + "acct": "root" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_acct", + "action": "was-authorized" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6tr0UmcBTFzn_XoLnQBb", + "source": { + "@timestamp": "2018-11-27T02:17:01.040Z", + "event": { + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "26196", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 184434, + "result": "success", + "session": "unset", + "data": { + "terminal": "cron", + "op": "PAM:setcred", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "69r0UmcBTFzn_XoLnQBb", + "source": { + "@timestamp": "2018-11-27T02:17:01.042Z", + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "pid": "26196", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 184436, + "result": "success", + "session": "9861", + "data": { + "op": "PAM:session_open", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_start", + "action": "started-session", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7Nr0UmcBTFzn_XoLnQBb", + "source": { + "@timestamp": "2018-11-27T02:17:01.045Z", + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "26196" + }, + "auditd": { + "sequence": 184437, + "result": "success", + "session": "9861", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:setcred" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + } + } + }, + "event": { + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials", + "module": "auditd" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0", + "uid": "0" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "7dr0UmcBTFzn_XoLnQBb", + "source": { + "@timestamp": "2018-11-27T02:17:01.045Z", + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "26196" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "data": { + "acct": "root", + "op": "PAM:session_close", + "terminal": "cron" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 184438, + "result": "success", + "session": "9861" + }, + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8dr0UmcBTFzn_XoLnQD4", + "source": { + "@timestamp": "2018-11-27T02:17:01.194Z", + "process": { + "pid": "30546", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "result": "success", + "session": "unset", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:setcred" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + }, + "sequence": 44259 + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8tr0UmcBTFzn_XoLnQD4", + "source": { + "@timestamp": "2018-11-27T02:17:01.194Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "30546", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "result": "success", + "session": "unset", + "data": { + "op": "PAM:accounting", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 44258 + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_acct", + "action": "was-authorized" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "89r0UmcBTFzn_XoLnQD4", + "source": { + "@timestamp": "2018-11-27T02:17:01.194Z", + "event": { + "type": "user_start", + "action": "started-session", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "30546" + }, + "auditd": { + "result": "success", + "session": "1445", + "data": { + "acct": "root", + "op": "PAM:session_open", + "terminal": "cron" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + }, + "sequence": 44261 + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "9Nr0UmcBTFzn_XoLnQD4", + "source": { + "@timestamp": "2018-11-27T02:17:01.198Z", + "event": { + "type": "cred_disp", + "action": "disposed-credentials", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "30546", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "result": "success", + "session": "1445", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:setcred" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 44262 + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "9dr0UmcBTFzn_XoLnQD4", + "source": { + "@timestamp": "2018-11-27T02:17:01.198Z", + "process": { + "pid": "30546", + "exe": "/usr/sbin/cron" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "sequence": 44263, + "result": "success", + "session": "1445", + "data": { + "terminal": "cron", + "op": "PAM:session_close", + "acct": "root" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "CNr0UmcBTFzn_XoLngEH", + "source": { + "@timestamp": "2018-11-27T02:17:01.212Z", + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "19971" + }, + "auditd": { + "sequence": 142422, + "result": "success", + "session": "unset", + "data": { + "op": "PAM:accounting", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "type": "user_acct", + "action": "was-authorized", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Cdr0UmcBTFzn_XoLngEH", + "source": { + "@timestamp": "2018-11-27T02:17:01.213Z", + "process": { + "pid": "19971", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "op": "PAM:setcred", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 142423, + "result": "success", + "session": "unset" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "action": "acquired-credentials", + "module": "auditd", + "category": "user-login", + "type": "cred_acq" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Ctr0UmcBTFzn_XoLngEH", + "source": { + "@timestamp": "2018-11-27T02:17:01.214Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_start", + "action": "started-session" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "19971", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "result": "success", + "session": "3504", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:session_open" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 142425 + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "C9r0UmcBTFzn_XoLngEH", + "source": { + "@timestamp": "2018-11-27T02:17:01.217Z", + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0", + "uid": "0" + }, + "process": { + "pid": "19971", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "result": "success", + "session": "3504", + "data": { + "acct": "root", + "op": "PAM:setcred", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 142426 + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "DNr0UmcBTFzn_XoLngEH", + "source": { + "@timestamp": "2018-11-27T02:17:01.218Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "pid": "19971", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 142427, + "result": "success", + "session": "3504", + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:session_close" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + } + }, + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Ddr0UmcBTFzn_XoLngEO", + "source": { + "@timestamp": "2018-11-27T02:17:01.220Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "auditd": { + "data": { + "acct": "root", + "op": "PAM:accounting", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 192589, + "result": "success", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_acct", + "action": "was-authorized", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "947", + "exe": "/usr/sbin/cron" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Dtr0UmcBTFzn_XoLngEO", + "source": { + "@timestamp": "2018-11-27T02:17:01.220Z", + "event": { + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "947", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:setcred" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 192590, + "result": "success" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "D9r0UmcBTFzn_XoLngEO", + "source": { + "@timestamp": "2018-11-27T02:17:01.222Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_start", + "action": "started-session", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "pid": "947", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "9865", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:session_open" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 192592, + "result": "success" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ENr0UmcBTFzn_XoLngEO", + "source": { + "@timestamp": "2018-11-27T02:17:01.225Z", + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "result": "success", + "session": "9865", + "data": { + "acct": "root", + "op": "PAM:setcred", + "terminal": "cron" + }, + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 192593 + }, + "event": { + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "process": { + "pid": "947", + "exe": "/usr/sbin/cron" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Edr0UmcBTFzn_XoLngEO", + "source": { + "@timestamp": "2018-11-27T02:17:01.226Z", + "user": { + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0", + "auid": "0" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "process": { + "pid": "947", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 192594, + "result": "success", + "session": "9865", + "data": { + "op": "PAM:session_close", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "cron" + } + } + }, + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Etr0UmcBTFzn_XoLngEt", + "source": { + "@timestamp": "2018-11-27T02:17:01.245Z", + "process": { + "exe": "/usr/sbin/cron", + "pid": "13026" + }, + "auditd": { + "result": "success", + "session": "unset", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:accounting" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 43247 + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_acct", + "action": "was-authorized", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "E9r0UmcBTFzn_XoLngEt", + "source": { + "@timestamp": "2018-11-27T02:17:01.249Z", + "event": { + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "13026", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 43248, + "result": "success", + "session": "unset", + "data": { + "op": "PAM:setcred", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FNr0UmcBTFzn_XoLngEt", + "source": { + "@timestamp": "2018-11-27T02:17:01.249Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "13026" + }, + "auditd": { + "sequence": 43250, + "result": "success", + "session": "1253", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:session_open" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "event": { + "category": "user-login", + "type": "user_start", + "action": "started-session", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Fdr0UmcBTFzn_XoLngEt", + "source": { + "@timestamp": "2018-11-27T02:17:01.257Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "action": "disposed-credentials", + "module": "auditd", + "category": "user-login", + "type": "cred_disp" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "13026", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "1253", + "data": { + "op": "PAM:setcred", + "acct": "root", + "terminal": "cron" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + }, + "sequence": 43251, + "result": "success" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Ftr0UmcBTFzn_XoLngEt", + "source": { + "@timestamp": "2018-11-27T02:17:01.257Z", + "auditd": { + "sequence": 43252, + "result": "success", + "session": "1253", + "data": { + "terminal": "cron", + "op": "PAM:session_close", + "acct": "root" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + } + }, + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "exe": "/usr/sbin/cron", + "pid": "13026" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "INr0UmcBTFzn_XoLoAHh", + "source": { + "@timestamp": "2018-11-27T02:17:01.906Z", + "event": { + "category": "user-login", + "type": "user_acct", + "action": "was-authorized", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32605", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "sequence": 186590, + "result": "success", + "session": "unset", + "data": { + "acct": "root", + "terminal": "cron", + "op": "PAM:accounting" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Idr0UmcBTFzn_XoLoAHh", + "source": { + "@timestamp": "2018-11-27T02:17:01.907Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "cred_acq", + "action": "acquired-credentials", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32605", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "root", + "op": "PAM:setcred", + "terminal": "cron" + }, + "summary": { + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "cron", + "type": "user-session" + } + }, + "sequence": 186591, + "result": "success" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Itr0UmcBTFzn_XoLoAHh", + "source": { + "@timestamp": "2018-11-27T02:17:01.908Z", + "process": { + "pid": "32605", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "session": "3512", + "data": { + "op": "PAM:session_open", + "terminal": "cron", + "acct": "root" + }, + "summary": { + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron", + "actor": { + "secondary": "root", + "primary": "root" + } + }, + "sequence": 186593, + "result": "success" + }, + "event": { + "category": "user-login", + "type": "user_start", + "action": "started-session", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "I9r0UmcBTFzn_XoLoAHh", + "source": { + "@timestamp": "2018-11-27T02:17:01.911Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "process": { + "pid": "32605", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "data": { + "terminal": "cron", + "acct": "root", + "op": "PAM:setcred" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "cron" + }, + "how": "/usr/sbin/cron", + "actor": { + "primary": "root", + "secondary": "root" + } + }, + "sequence": 186594, + "result": "success", + "session": "3512" + }, + "event": { + "category": "user-login", + "type": "cred_disp", + "action": "disposed-credentials", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "auid": "root", + "uid": "root" + }, + "auid": "0" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "JNr0UmcBTFzn_XoLoAHh", + "source": { + "@timestamp": "2018-11-27T02:17:01.912Z", + "event": { + "category": "user-login", + "type": "user_end", + "action": "ended-session", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "0", + "name_map": { + "auid": "root", + "uid": "root" + } + }, + "process": { + "pid": "32605", + "exe": "/usr/sbin/cron" + }, + "auditd": { + "summary": { + "actor": { + "primary": "root", + "secondary": "root" + }, + "object": { + "primary": "cron", + "type": "user-session" + }, + "how": "/usr/sbin/cron" + }, + "sequence": 186595, + "result": "success", + "session": "3512", + "data": { + "op": "PAM:session_close", + "terminal": "cron", + "acct": "root" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "G9r1UmcBTFzn_XoLvBrE", + "source": { + "@timestamp": "2018-11-27T02:18:14.617Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "122.160.137.37", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142428 + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "19981", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "122.160.137.37" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HNr1UmcBTFzn_XoLvBrE", + "source": { + "@timestamp": "2018-11-27T02:18:14.619Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "122.160.137.37", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142429, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19981", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "122.160.137.37" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Hdr1UmcBTFzn_XoLvBrE", + "source": { + "@timestamp": "2018-11-27T02:18:14.905Z", + "source": { + "ip": "122.160.137.37" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142430, + "result": "fail", + "session": "unset", + "data": { + "hostname": "122.160.137.37", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "122.160.137.37", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "19981", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Htr1UmcBTFzn_XoLvRof", + "source": { + "@timestamp": "2018-11-27T02:18:14.709Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "process": { + "pid": "960", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "200.207.220.128" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192598, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "200.207.220.128", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "H9r1UmcBTFzn_XoLvRof", + "source": { + "@timestamp": "2018-11-27T02:18:14.710Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "960", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "200.207.220.128" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "200.207.220.128" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192599, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "INr1UmcBTFzn_XoLvRof", + "source": { + "@timestamp": "2018-11-27T02:18:14.895Z", + "auditd": { + "data": { + "hostname": "200.207.220.128", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "200.207.220.128" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192600, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "960", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "200.207.220.128" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "MtnzUmcBTFzn_XoLcefM", + "source": { + "@timestamp": "2018-11-27T02:15:44.351Z", + "source": { + "ip": "147.135.208.7" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "147.135.208.7", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43241 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13016" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "M9nzUmcBTFzn_XoLcefM", + "source": { + "@timestamp": "2018-11-27T02:15:44.351Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "13016", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "147.135.208.7" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "147.135.208.7", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 43242, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NNnzUmcBTFzn_XoLcefM", + "source": { + "@timestamp": "2018-11-27T02:15:44.487Z", + "source": { + "ip": "147.135.208.7" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "147.135.208.7" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "147.135.208.7", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43243, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "13016", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "S9nzUmcBTFzn_XoLdeex", + "source": { + "@timestamp": "2018-11-27T02:15:45.351Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "32602", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186587, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TNnzUmcBTFzn_XoLdeex", + "source": { + "@timestamp": "2018-11-27T02:15:45.352Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186588, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32602", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TdnzUmcBTFzn_XoLdeex", + "source": { + "@timestamp": "2018-11-27T02:15:45.383Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 186589 + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32602", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "J9r1UmcBTFzn_XoLwBpB", + "source": { + "@timestamp": "2018-11-27T02:18:15.507Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "13035", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "109.75.216.201" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "109.75.216.201", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 43253, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KNr1UmcBTFzn_XoLwBpB", + "source": { + "@timestamp": "2018-11-27T02:18:15.507Z", + "process": { + "pid": "13035", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "109.75.216.201" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "109.75.216.201", + "type": "user-session" + } + }, + "sequence": 43254, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Kdr1UmcBTFzn_XoLwBpB", + "source": { + "@timestamp": "2018-11-27T02:18:15.647Z", + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "13035", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "109.75.216.201" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "ssh", + "secondary": "109.75.216.201", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 43255, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "109.75.216.201" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "htr1UmcBTFzn_XoLxhrF", + "source": { + "@timestamp": "2018-11-27T02:18:17.176Z", + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "165.227.5.206" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43256, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13037" + }, + "source": { + "ip": "165.227.5.206" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "h9r1UmcBTFzn_XoLxhrF", + "source": { + "@timestamp": "2018-11-27T02:18:17.176Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "165.227.5.206", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43257, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13037" + }, + "source": { + "ip": "165.227.5.206" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "iNr1UmcBTFzn_XoLxhrF", + "source": { + "@timestamp": "2018-11-27T02:18:17.220Z", + "auditd": { + "sequence": 43258, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "165.227.5.206", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "165.227.5.206", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "13037", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "165.227.5.206" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "4tr2UmcBTFzn_XoLCyDa", + "source": { + "@timestamp": "2018-11-27T02:18:34.864Z", + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186599, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32621", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "49r2UmcBTFzn_XoLCyDa", + "source": { + "@timestamp": "2018-11-27T02:18:34.866Z", + "process": { + "pid": "32621", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186600, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5Nr2UmcBTFzn_XoLCyDa", + "source": { + "@timestamp": "2018-11-27T02:18:34.896Z", + "process": { + "pid": "32621", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186601, + "result": "fail", + "session": "unset", + "data": { + "hostname": "107.170.65.109", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "A9r0UmcBTFzn_XoLvwRX", + "source": { + "@timestamp": "2018-11-27T02:17:09.740Z", + "process": { + "pid": "32613", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186596, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BNr0UmcBTFzn_XoLvwRX", + "source": { + "@timestamp": "2018-11-27T02:17:09.742Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 186597 + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32613", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Bdr0UmcBTFzn_XoLvwRX", + "source": { + "@timestamp": "2018-11-27T02:17:09.772Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "hostname": "107.170.65.109", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186598, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32613", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Z9n0UmcBTFzn_XoLLvfV", + "source": { + "@timestamp": "2018-11-27T02:16:32.747Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "26188", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.131.79.34" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184430, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "104.131.79.34" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "aNn0UmcBTFzn_XoLLvfV", + "source": { + "@timestamp": "2018-11-27T02:16:32.748Z", + "process": { + "pid": "26188", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.131.79.34" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184431, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "104.131.79.34" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "adn0UmcBTFzn_XoLLvfV", + "source": { + "@timestamp": "2018-11-27T02:16:32.779Z", + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "104.131.79.34" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "104.131.79.34", + "type": "user-session" + } + }, + "sequence": 184432, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "26188", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.131.79.34" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "wdr1UmcBTFzn_XoLdBNI", + "source": { + "@timestamp": "2018-11-27T02:17:56.062Z", + "source": { + "ip": "89.156.152.134" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "89.156.152.134", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192595, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "957", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "wtr1UmcBTFzn_XoLdBNI", + "source": { + "@timestamp": "2018-11-27T02:17:56.063Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192596, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "89.156.152.134", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "957", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "89.156.152.134" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "w9r1UmcBTFzn_XoLdBNI", + "source": { + "@timestamp": "2018-11-27T02:17:56.190Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "89.156.152.134" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "89.156.152.134", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192597, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "957", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "89.156.152.134" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "UNnzUmcBTFzn_XoLwu4u", + "source": { + "@timestamp": "2018-11-27T02:16:04.928Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "13018", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.33.168.254" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "178.33.168.254", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43244, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "UdnzUmcBTFzn_XoLwu4u", + "source": { + "@timestamp": "2018-11-27T02:16:04.928Z", + "auditd": { + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "178.33.168.254", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 43245, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13018" + }, + "source": { + "ip": "178.33.168.254" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "UtnzUmcBTFzn_XoLwu4u", + "source": { + "@timestamp": "2018-11-27T02:16:05.048Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "13018", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.33.168.254" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "178.33.168.254", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "178.33.168.254", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43246, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "DdsBU2cBTFzn_XoL2SOm", + "source": { + "@timestamp": "2018-11-27T02:31:28.442Z", + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "147.135.208.7", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43274, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "13130", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "147.135.208.7" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "DtsBU2cBTFzn_XoL2SOm", + "source": { + "@timestamp": "2018-11-27T02:31:28.442Z", + "process": { + "pid": "13130", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "147.135.208.7" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43275, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "147.135.208.7" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "D9sBU2cBTFzn_XoL2SOm", + "source": { + "@timestamp": "2018-11-27T02:31:28.574Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "147.135.208.7" + }, + "summary": { + "object": { + "secondary": "147.135.208.7", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 43276, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "13130", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "147.135.208.7" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ENsBU2cBTFzn_XoL2SOm", + "source": { + "@timestamp": "2018-11-27T02:31:28.994Z", + "user": { + "suid": "0", + "name_map": { + "fsuid": "root", + "gid": "root", + "sgid": "root", + "suid": "root", + "uid": "root", + "egid": "root", + "euid": "root", + "fsgid": "root" + }, + "gid": "0", + "auid": "unset", + "fsgid": "0", + "fsuid": "0", + "uid": "0", + "egid": "0", + "sgid": "0", + "euid": "0" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "ppid": "1379", + "title": "/sbin/iptables -w -I sshguard -s 147.135.208.7 -j DROP", + "name": "iptables", + "exe": "/sbin/xtables-multi", + "pid": "13132" + }, + "auditd": { + "result": "success", + "session": "unset", + "data": { + "syscall": "setsockopt", + "a0": "5", + "tty": "(none)", + "table": "filter", + "a2": "40", + "a3": "8ae870", + "a1": "0", + "family": "2", + "entries": "154", + "arch": "x86_64", + "exit": "0" + }, + "summary": { + "object": { + "primary": "filter", + "type": "firewall" + }, + "how": "/sbin/xtables-multi", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 43277 + }, + "event": { + "category": "configuration", + "type": "netfilter_cfg", + "action": "loaded-firewall-rule-to", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Ztr_UmcBTFzn_XoLP-rA", + "source": { + "@timestamp": "2018-11-27T02:28:37.974Z", + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + }, + "sequence": 186620 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32675", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Z9r_UmcBTFzn_XoLP-rA", + "source": { + "@timestamp": "2018-11-27T02:28:37.975Z", + "auditd": { + "sequence": 186621, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32675", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "aNr_UmcBTFzn_XoLP-rA", + "source": { + "@timestamp": "2018-11-27T02:28:38.007Z", + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "107.170.65.109" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186622, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32675" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-dsAU2cBTFzn_XoLlQYl", + "source": { + "@timestamp": "2018-11-27T02:30:05.371Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32684" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186623, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "107.170.65.109", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-tsAU2cBTFzn_XoLlQYl", + "source": { + "@timestamp": "2018-11-27T02:30:05.372Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32684" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 186624, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "-9sAU2cBTFzn_XoLlQYl", + "source": { + "@timestamp": "2018-11-27T02:30:05.403Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32684" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186625, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "107.170.65.109", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "M9sBU2cBTFzn_XoLwCBF", + "source": { + "@timestamp": "2018-11-27T02:31:21.946Z", + "auditd": { + "sequence": 186626, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "118.25.133.243", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "32692" + }, + "source": { + "ip": "118.25.133.243" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NNsBU2cBTFzn_XoLwCBF", + "source": { + "@timestamp": "2018-11-27T02:31:21.947Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32692", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "118.25.133.243" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186627, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "118.25.133.243", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "NdsBU2cBTFzn_XoLwCBF", + "source": { + "@timestamp": "2018-11-27T02:31:22.162Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32692", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "118.25.133.243" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "118.25.133.243", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "118.25.133.243" + } + }, + "sequence": 186628, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "D9oAU2cBTFzn_XoLOP8t", + "source": { + "@timestamp": "2018-11-27T02:29:41.565Z", + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "13117", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.0.121.176" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "128.0.121.176", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43271, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ENoAU2cBTFzn_XoLOP8t", + "source": { + "@timestamp": "2018-11-27T02:29:41.569Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "128.0.121.176", + "type": "user-session" + } + }, + "sequence": 43272, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "13117", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.0.121.176" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "EdoAU2cBTFzn_XoLOP8t", + "source": { + "@timestamp": "2018-11-27T02:29:41.677Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "13117", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.0.121.176" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "128.0.121.176" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "128.0.121.176", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43273 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dNsBU2cBTFzn_XoL7CTn", + "source": { + "@timestamp": "2018-11-27T02:31:33.373Z", + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32694", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186629, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ddsBU2cBTFzn_XoL7CTn", + "source": { + "@timestamp": "2018-11-27T02:31:33.375Z", + "process": { + "pid": "32694", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186630, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "107.170.65.109" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "dtsBU2cBTFzn_XoL7CTn", + "source": { + "@timestamp": "2018-11-27T02:31:33.406Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32694", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "107.170.65.109" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186631, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "107.170.65.109", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "107.170.65.109", + "type": "user-session", + "primary": "ssh" + } + } + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "G9sCU2cBTFzn_XoLvzai", + "source": { + "@timestamp": "2018-11-27T02:32:27.319Z", + "auditd": { + "sequence": 192613, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "198.27.80.211", + "type": "user-session" + } + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "1045" + }, + "source": { + "ip": "198.27.80.211" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HNsCU2cBTFzn_XoLvzai", + "source": { + "@timestamp": "2018-11-27T02:32:27.320Z", + "source": { + "ip": "198.27.80.211" + }, + "network": { + "direction": "incoming" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "198.27.80.211", + "type": "user-session" + } + }, + "sequence": 192614, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "1045", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "HdsCU2cBTFzn_XoLvzai", + "source": { + "@timestamp": "2018-11-27T02:32:27.362Z", + "auditd": { + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "198.27.80.211" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "198.27.80.211", + "type": "user-session" + } + }, + "sequence": 192615, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "1045", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "198.27.80.211" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Sdr-UmcBTFzn_XoLMtPX", + "source": { + "@timestamp": "2018-11-27T02:27:29.130Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "13103", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "54.37.67.193" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "54.37.67.193" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43268 + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Str-UmcBTFzn_XoLMtPX", + "source": { + "@timestamp": "2018-11-27T02:27:29.130Z", + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13103" + }, + "source": { + "ip": "54.37.67.193" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "54.37.67.193" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + }, + "sequence": 43269, + "result": "fail" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "S9r-UmcBTFzn_XoLMtPX", + "source": { + "@timestamp": "2018-11-27T02:27:29.242Z", + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "beat": { + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "13103", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "54.37.67.193" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "54.37.67.193", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "secondary": "54.37.67.193", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 43270, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "q9sAU2cBTFzn_XoLYwI6", + "source": { + "@timestamp": "2018-11-27T02:29:52.590Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "30802", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.0.118.65" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44276, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "secondary": "128.0.118.65", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rNsAU2cBTFzn_XoLYwI6", + "source": { + "@timestamp": "2018-11-27T02:29:52.590Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "128.0.118.65", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 44277, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "30802" + }, + "source": { + "ip": "128.0.118.65" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rdsAU2cBTFzn_XoLYwI6", + "source": { + "@timestamp": "2018-11-27T02:29:52.694Z", + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "30802", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.0.118.65" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "128.0.118.65" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "128.0.118.65", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44278, + "result": "fail" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0twMU2cBTFzn_XoL7xUF", + "source": { + "@timestamp": "2018-11-27T02:43:34.811Z", + "source": { + "ip": "167.99.54.4" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184466, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "167.99.54.4" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "26446" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "09wMU2cBTFzn_XoL7xUF", + "source": { + "@timestamp": "2018-11-27T02:43:34.812Z", + "source": { + "ip": "167.99.54.4" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "167.99.54.4" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184467, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "26446" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "1NwMU2cBTFzn_XoL7xUF", + "source": { + "@timestamp": "2018-11-27T02:43:34.843Z", + "process": { + "pid": "26446", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "167.99.54.4" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "167.99.54.4", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "167.99.54.4", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184468, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3dwMU2cBTFzn_XoL9RW0", + "source": { + "@timestamp": "2018-11-27T02:43:36.522Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26448", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.120.174.127" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184469, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "37.120.174.127", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "3twMU2cBTFzn_XoL9RW0", + "source": { + "@timestamp": "2018-11-27T02:43:36.524Z", + "source": { + "ip": "37.120.174.127" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "37.120.174.127", + "type": "user-session" + } + }, + "sequence": 184470 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "26448", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "39wMU2cBTFzn_XoL9RW0", + "source": { + "@timestamp": "2018-11-27T02:43:36.635Z", + "auditd": { + "sequence": 184471, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "37.120.174.127", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "37.120.174.127", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "26448", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "37.120.174.127" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "1twNU2cBTFzn_XoL_CyZ", + "source": { + "@timestamp": "2018-11-27T02:44:43.822Z", + "source": { + "ip": "104.248.123.206" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "104.248.123.206", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + }, + "sequence": 142450, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "20137", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "19wNU2cBTFzn_XoL_CyZ", + "source": { + "@timestamp": "2018-11-27T02:44:43.823Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "20137" + }, + "source": { + "ip": "104.248.123.206" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "104.248.123.206", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142451, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "2NwNU2cBTFzn_XoL_CyZ", + "source": { + "@timestamp": "2018-11-27T02:44:43.854Z", + "process": { + "pid": "20137", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "104.248.123.206" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142452, + "result": "fail", + "session": "unset", + "data": { + "hostname": "104.248.123.206", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "104.248.123.206", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sdwMU2cBTFzn_XoLxRBj", + "source": { + "@timestamp": "2018-11-27T02:43:22.108Z", + "source": { + "ip": "35.189.59.154" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "35.189.59.154", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184463, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "26443", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "stwMU2cBTFzn_XoLxRBj", + "source": { + "@timestamp": "2018-11-27T02:43:22.109Z", + "host": { + "name": "demo-stack-apache-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "26443", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "35.189.59.154" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "secondary": "35.189.59.154", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 184464, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "s9wMU2cBTFzn_XoLxRBj", + "source": { + "@timestamp": "2018-11-27T02:43:22.284Z", + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "data": { + "terminal": "ssh", + "hostname": "35.189.59.154", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "35.189.59.154" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184465, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26443", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "35.189.59.154" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "S9wNU2cBTFzn_XoLwCiw", + "source": { + "@timestamp": "2018-11-27T02:44:28.486Z", + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "209.240.59.106" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186642, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "209.240.59.106" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32760", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TNwNU2cBTFzn_XoLwCiw", + "source": { + "@timestamp": "2018-11-27T02:44:28.487Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32760", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "209.240.59.106" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "209.240.59.106", + "type": "user-session" + } + }, + "sequence": 186643, + "result": "fail", + "session": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "TdwNU2cBTFzn_XoLwCiw", + "source": { + "@timestamp": "2018-11-27T02:44:28.539Z", + "process": { + "pid": "32760", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "209.240.59.106" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "209.240.59.106", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186644, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "209.240.59.106", + "terminal": "ssh" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FNwNU2cBTFzn_XoL4yrB", + "source": { + "@timestamp": "2018-11-27T02:44:37.463Z", + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "32763", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.254.123.131" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "51.254.123.131", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186645, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FdwNU2cBTFzn_XoL4yrB", + "source": { + "@timestamp": "2018-11-27T02:44:37.464Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "secondary": "51.254.123.131", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186646 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "32763", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.254.123.131" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FtwNU2cBTFzn_XoL4yrB", + "source": { + "@timestamp": "2018-11-27T02:44:37.575Z", + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "pid": "32763", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.254.123.131" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "51.254.123.131" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "51.254.123.131", + "type": "user-session" + } + }, + "sequence": 186647 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ldwMU2cBTFzn_XoLmw6z", + "source": { + "@timestamp": "2018-11-27T02:43:13.482Z", + "process": { + "pid": "1168", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "158.69.59.90" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "158.69.59.90" + } + }, + "sequence": 192646, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ltwMU2cBTFzn_XoLmw6z", + "source": { + "@timestamp": "2018-11-27T02:43:13.483Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "158.69.59.90" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "158.69.59.90" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192647 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "1168", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "l9wMU2cBTFzn_XoLmw6z", + "source": { + "@timestamp": "2018-11-27T02:43:13.525Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "158.69.59.90", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "158.69.59.90", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192648 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "1168", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "158.69.59.90" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZdwOU2cBTFzn_XoLGy-N", + "source": { + "@timestamp": "2018-11-27T02:44:51.746Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "sshd", + "secondary": "71.174.75.11", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 186648, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + }, + "process": { + "pid": "32765", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "71.174.75.11" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ZtwOU2cBTFzn_XoLGy-N", + "source": { + "@timestamp": "2018-11-27T02:44:51.747Z", + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "71.174.75.11", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + }, + "sequence": 186649, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "32765", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "71.174.75.11" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Z9wOU2cBTFzn_XoLGy-N", + "source": { + "@timestamp": "2018-11-27T02:44:51.787Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "32765", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "71.174.75.11" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "71.174.75.11", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "71.174.75.11", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186650, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "C9wPU2cBTFzn_XoLYUv1", + "source": { + "@timestamp": "2018-11-27T02:46:15.305Z", + "process": { + "pid": "13218", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "159.89.180.93" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "auditd": { + "sequence": 43288, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "159.89.180.93", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "DNwPU2cBTFzn_XoLYUv1", + "source": { + "@timestamp": "2018-11-27T02:46:15.305Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13218" + }, + "source": { + "ip": "159.89.180.93" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43289, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "159.89.180.93", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "DdwPU2cBTFzn_XoLYUv1", + "source": { + "@timestamp": "2018-11-27T02:46:15.337Z", + "source": { + "ip": "159.89.180.93" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "159.89.180.93", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "159.89.180.93", + "type": "user-session" + } + }, + "sequence": 43290, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "13218", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_twNU2cBTFzn_XoLjiIW", + "source": { + "@timestamp": "2018-11-27T02:44:15.532Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "217.141.88.34" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "217.141.88.34" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142449 + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "20129", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "217.141.88.34" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5NwRU2cBTFzn_XoLtH2C", + "source": { + "@timestamp": "2018-11-27T02:48:47.512Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "sequence": 142454, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "51.15.251.165" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "20159", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.15.251.165" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5dwRU2cBTFzn_XoLtH2C", + "source": { + "@timestamp": "2018-11-27T02:48:47.513Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "20159" + }, + "source": { + "ip": "51.15.251.165" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "secondary": "51.15.251.165", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 142455, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5twRU2cBTFzn_XoLtH2C", + "source": { + "@timestamp": "2018-11-27T02:48:47.619Z", + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "20159", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "51.15.251.165" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "51.15.251.165", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "51.15.251.165", + "type": "user-session" + } + }, + "sequence": 142456, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sdwQU2cBTFzn_XoLA1gL", + "source": { + "@timestamp": "2018-11-27T02:46:56.545Z", + "process": { + "pid": "26473", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "35.243.183.165" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "35.243.183.165", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184472, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "stwQU2cBTFzn_XoLA1gL", + "source": { + "@timestamp": "2018-11-27T02:46:56.546Z", + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "26473", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "35.243.183.165" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "35.243.183.165", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 184473, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "s9wQU2cBTFzn_XoLA1gL", + "source": { + "@timestamp": "2018-11-27T02:46:56.586Z", + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "26473" + }, + "source": { + "ip": "35.243.183.165" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "ssh", + "secondary": "35.243.183.165", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 184474, + "result": "fail", + "session": "unset", + "data": { + "hostname": "35.243.183.165", + "terminal": "ssh", + "op": "PAM:bad_ident" + } + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "mdwQU2cBTFzn_XoLL132", + "source": { + "@timestamp": "2018-11-27T02:47:08.044Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "1190", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "219.65.51.21" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "219.65.51.21", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 192649, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "mtwQU2cBTFzn_XoLL132", + "source": { + "@timestamp": "2018-11-27T02:47:08.045Z", + "process": { + "pid": "1190", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "source": { + "ip": "219.65.51.21" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "219.65.51.21", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192650 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "m9wQU2cBTFzn_XoLL132", + "source": { + "@timestamp": "2018-11-27T02:47:08.272Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1190", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "219.65.51.21" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "secondary": "219.65.51.21", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 192651, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "219.65.51.21" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "EdwQU2cBTFzn_XoLXmE8", + "source": { + "@timestamp": "2018-11-27T02:47:19.890Z", + "auditd": { + "sequence": 184475, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "178.128.119.59", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "26475" + }, + "source": { + "ip": "178.128.119.59" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "EtwQU2cBTFzn_XoLXmE8", + "source": { + "@timestamp": "2018-11-27T02:47:19.892Z", + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "178.128.119.59", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + }, + "sequence": 184476, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26475", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.128.119.59" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "E9wQU2cBTFzn_XoLXmE8", + "source": { + "@timestamp": "2018-11-27T02:47:20.084Z", + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26475", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.128.119.59" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184477, + "result": "fail", + "session": "unset", + "data": { + "hostname": "178.128.119.59", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "178.128.119.59", + "type": "user-session" + } + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "LNwRU2cBTFzn_XoLM3Pb", + "source": { + "@timestamp": "2018-11-27T02:48:14.577Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "319" + }, + "source": { + "ip": "120.197.130.118" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "120.197.130.118", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186654, + "result": "fail" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "LdwRU2cBTFzn_XoLM3Pb", + "source": { + "@timestamp": "2018-11-27T02:48:14.578Z", + "auditd": { + "sequence": 186655, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "120.197.130.118", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "319" + }, + "source": { + "ip": "120.197.130.118" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "LtwRU2cBTFzn_XoLM3Pb", + "source": { + "@timestamp": "2018-11-27T02:48:14.782Z", + "process": { + "pid": "319", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "120.197.130.118" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "120.197.130.118", + "type": "user-session", + "primary": "ssh" + } + }, + "sequence": 186656, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "120.197.130.118" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gtwRU2cBTFzn_XoLA25t", + "source": { + "@timestamp": "2018-11-27T02:48:02.179Z", + "process": { + "pid": "26483", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.0.118.65" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "128.0.118.65" + } + }, + "sequence": 184478, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "g9wRU2cBTFzn_XoLA25t", + "source": { + "@timestamp": "2018-11-27T02:48:02.180Z", + "process": { + "pid": "26483", + "exe": "/usr/sbin/sshd" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "source": { + "ip": "128.0.118.65" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 184479, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "128.0.118.65", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "hNwRU2cBTFzn_XoLA25t", + "source": { + "@timestamp": "2018-11-27T02:48:02.288Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "128.0.118.65" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "128.0.118.65", + "type": "user-session", + "primary": "ssh" + } + }, + "sequence": 184480, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "26483", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.0.118.65" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "1dwQU2cBTFzn_XoLnGVv", + "source": { + "@timestamp": "2018-11-27T02:47:35.813Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "312", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "169.61.96.71" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "169.61.96.71", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186651 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "1twQU2cBTFzn_XoLnGVv", + "source": { + "@timestamp": "2018-11-27T02:47:35.815Z", + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "auditd": { + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "169.61.96.71", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 186652, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "312", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "169.61.96.71" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "19wQU2cBTFzn_XoLnGVv", + "source": { + "@timestamp": "2018-11-27T02:47:35.854Z", + "auditd": { + "data": { + "hostname": "169.61.96.71", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "169.61.96.71", + "type": "user-session" + } + }, + "sequence": 186653, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "312", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "169.61.96.71" + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ItwQU2cBTFzn_XoL2Gtu", + "source": { + "@timestamp": "2018-11-27T02:47:51.172Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "20151" + }, + "source": { + "ip": "104.248.157.6" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "104.248.157.6", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "104.248.157.6", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142453, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "adwPU2cBTFzn_XoLb0w5", + "source": { + "@timestamp": "2018-11-27T02:46:18.698Z", + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "source": { + "ip": "5.196.69.191" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "5.196.69.191", + "type": "user-session" + } + }, + "sequence": 44301, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "5.196.69.191" + } + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31309", + "exe": "/usr/sbin/sshd" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VNwTU2cBTFzn_XoL0qyL", + "source": { + "@timestamp": "2018-11-27T02:51:06.273Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "217.182.170.81", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184484 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26505", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-apache-01" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "source": { + "ip": "217.182.170.81" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VdwTU2cBTFzn_XoL0qyL", + "source": { + "@timestamp": "2018-11-27T02:51:06.274Z", + "source": { + "ip": "217.182.170.81" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "217.182.170.81", + "type": "user-session" + } + }, + "sequence": 184485, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "26505" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VtwTU2cBTFzn_XoL0qyL", + "source": { + "@timestamp": "2018-11-27T02:51:06.381Z", + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "26505", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "217.182.170.81" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "ssh", + "hostname": "217.182.170.81", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "217.182.170.81", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184486, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "R9wSU2cBTFzn_XoLfY-L", + "source": { + "@timestamp": "2018-11-27T02:49:38.977Z", + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "188.123.122.128" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 186657, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "188.123.122.128", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "322" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SNwSU2cBTFzn_XoLfY-L", + "source": { + "@timestamp": "2018-11-27T02:49:38.978Z", + "auditd": { + "sequence": 186658, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "188.123.122.128", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-redis-01" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "322" + }, + "source": { + "ip": "188.123.122.128" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "SdwSU2cBTFzn_XoLfY-L", + "source": { + "@timestamp": "2018-11-27T02:49:39.106Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "322" + }, + "source": { + "ip": "188.123.122.128" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "188.123.122.128" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 186659, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "188.123.122.128", + "terminal": "ssh" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "MNwUU2cBTFzn_XoL4MOf", + "source": { + "@timestamp": "2018-11-27T02:52:15.413Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "source": { + "ip": "37.187.0.20" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "37.187.0.20", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142457, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "20179", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "MdwUU2cBTFzn_XoL4MOf", + "source": { + "@timestamp": "2018-11-27T02:52:15.414Z", + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "source": { + "ip": "37.187.0.20" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142458, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(invalid user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "37.187.0.20" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "20179", + "exe": "/usr/sbin/sshd" + }, + "host": { + "name": "demo-stack-haproxy-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "MtwUU2cBTFzn_XoL4MOf", + "source": { + "@timestamp": "2018-11-27T02:52:15.522Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "20179" + }, + "source": { + "ip": "37.187.0.20" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142459, + "result": "fail", + "session": "unset", + "data": { + "hostname": "37.187.0.20", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "37.187.0.20", + "type": "user-session" + } + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "AdwTU2cBTFzn_XoLjKds", + "source": { + "@timestamp": "2018-11-27T02:50:48.323Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "26498", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "162.243.253.67" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "sequence": 184481, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "162.243.253.67", + "type": "user-session" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "AtwTU2cBTFzn_XoLjKds", + "source": { + "@timestamp": "2018-11-27T02:50:48.324Z", + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "sequence": 184482, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "162.243.253.67", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "26498", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "162.243.253.67" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "A9wTU2cBTFzn_XoLjKds", + "source": { + "@timestamp": "2018-11-27T02:50:48.355Z", + "source": { + "ip": "162.243.253.67" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "162.243.253.67", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "162.243.253.67", + "type": "user-session" + } + }, + "sequence": 184483, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "process": { + "pid": "26498", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KNwSU2cBTFzn_XoL6pgK", + "source": { + "@timestamp": "2018-11-27T02:50:06.744Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43291, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "52.189.217.7" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "13243", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "52.189.217.7" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KdwSU2cBTFzn_XoL6pgK", + "source": { + "@timestamp": "2018-11-27T02:50:06.748Z", + "process": { + "pid": "13243", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "52.189.217.7" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43292, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "52.189.217.7", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "KtwSU2cBTFzn_XoL6pgK", + "source": { + "@timestamp": "2018-11-27T02:50:06.964Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "13243", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "52.189.217.7" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "52.189.217.7" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "52.189.217.7" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43293 + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "pdwUU2cBTFzn_XoLmrwL", + "source": { + "@timestamp": "2018-11-27T02:51:57.342Z", + "process": { + "pid": "13252", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "45.122.222.185" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "45.122.222.185" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43294, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ptwUU2cBTFzn_XoLmrwL", + "source": { + "@timestamp": "2018-11-27T02:51:57.342Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "45.122.222.185" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "45.122.222.185", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43295, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13252" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "p9wUU2cBTFzn_XoLmrwL", + "source": { + "@timestamp": "2018-11-27T02:51:57.590Z", + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "13252", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "45.122.222.185" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43296, + "result": "fail", + "session": "unset", + "data": { + "hostname": "45.122.222.185", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "45.122.222.185", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + } + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0dwSU2cBTFzn_XoLxpVy", + "source": { + "@timestamp": "2018-11-27T02:49:57.640Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "331" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "source": { + "ip": "62.93.166.91" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "62.93.166.91", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186660, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0twSU2cBTFzn_XoLxpVy", + "source": { + "@timestamp": "2018-11-27T02:49:57.641Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "331", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "62.93.166.91" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + }, + "object": { + "primary": "sshd", + "secondary": "62.93.166.91", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186661, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "09wSU2cBTFzn_XoLxpVy", + "source": { + "@timestamp": "2018-11-27T02:49:57.762Z", + "process": { + "pid": "331", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "62.93.166.91" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "hostname": "62.93.166.91", + "op": "PAM:bad_ident", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "62.93.166.91" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 186662, + "result": "fail", + "session": "unset" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-redis-01", + "hostname": "demo-stack-redis-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-redis-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "UtwVU2cBTFzn_XoLNcpH", + "source": { + "@timestamp": "2018-11-27T02:52:37.083Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "86.104.220.26", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 44305 + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31435" + }, + "source": { + "ip": "86.104.220.26" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "U9wVU2cBTFzn_XoLNcpH", + "source": { + "@timestamp": "2018-11-27T02:52:37.083Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44306, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "86.104.220.26", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "process": { + "pid": "31435", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "86.104.220.26" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "VNwVU2cBTFzn_XoLNcpH", + "source": { + "@timestamp": "2018-11-27T02:52:37.223Z", + "auditd": { + "session": "unset", + "data": { + "hostname": "86.104.220.26", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "86.104.220.26", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44307, + "result": "fail" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31435", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "86.104.220.26" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "qtwTU2cBTFzn_XoLRqAf", + "source": { + "@timestamp": "2018-11-27T02:50:30.321Z", + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31389", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.62.61.192" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "178.62.61.192", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44302, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "q9wTU2cBTFzn_XoLRqAf", + "source": { + "@timestamp": "2018-11-27T02:50:30.321Z", + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "178.62.61.192" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44303, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "31389", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.62.61.192" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "rNwTU2cBTFzn_XoLRqAf", + "source": { + "@timestamp": "2018-11-27T02:50:30.421Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "31389" + }, + "source": { + "ip": "178.62.61.192" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "secondary": "178.62.61.192", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44304, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "178.62.61.192" + } + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cdwXU2cBTFzn_XoLm_-X", + "source": { + "@timestamp": "2018-11-27T02:55:14.346Z", + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "144.217.42.212", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43300, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "13273", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "144.217.42.212" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ctwXU2cBTFzn_XoLm_-X", + "source": { + "@timestamp": "2018-11-27T02:55:14.346Z", + "process": { + "pid": "13273", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "144.217.42.212" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "144.217.42.212", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43301 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "c9wXU2cBTFzn_XoLm_-X", + "source": { + "@timestamp": "2018-11-27T02:55:14.386Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "13273", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "144.217.42.212" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "144.217.42.212" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "144.217.42.212", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43302, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "ztwXU2cBTFzn_XoLn_8Q", + "source": { + "@timestamp": "2018-11-27T02:55:15.179Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "1238", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "78.193.8.166" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192661, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "78.193.8.166", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "z9wXU2cBTFzn_XoLn_8Q", + "source": { + "@timestamp": "2018-11-27T02:55:15.185Z", + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1238", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "78.193.8.166" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192662, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "78.193.8.166", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "0NwXU2cBTFzn_XoLn_8Q", + "source": { + "@timestamp": "2018-11-27T02:55:15.302Z", + "source": { + "ip": "78.193.8.166" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "secondary": "78.193.8.166", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 192663, + "result": "fail", + "session": "unset", + "data": { + "hostname": "78.193.8.166", + "terminal": "ssh", + "op": "PAM:bad_ident" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1238", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8dwWU2cBTFzn_XoLK980", + "source": { + "@timestamp": "2018-11-27T02:53:40.043Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1225", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "165.227.184.21" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192652, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "165.227.184.21", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "8twWU2cBTFzn_XoLK980", + "source": { + "@timestamp": "2018-11-27T02:53:40.044Z", + "process": { + "pid": "1225", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "165.227.184.21" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "165.227.184.21" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + }, + "sequence": 192653 + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "89wWU2cBTFzn_XoLK980", + "source": { + "@timestamp": "2018-11-27T02:53:40.074Z", + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "165.227.184.21" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "165.227.184.21", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192654, + "result": "fail" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1225", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "165.227.184.21" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BdwWU2cBTFzn_XoLL-A3", + "source": { + "@timestamp": "2018-11-27T02:53:41.070Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "1227", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "206.81.24.64" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192655, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "206.81.24.64" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "BtwWU2cBTFzn_XoLL-A3", + "source": { + "@timestamp": "2018-11-27T02:53:41.071Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192656, + "result": "fail", + "session": "unset", + "data": { + "acct": "(invalid user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "206.81.24.64" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "1227", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "206.81.24.64" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "B9wWU2cBTFzn_XoLL-A3", + "source": { + "@timestamp": "2018-11-27T02:53:41.179Z", + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "206.81.24.64", + "terminal": "ssh" + }, + "summary": { + "object": { + "secondary": "206.81.24.64", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + } + }, + "sequence": 192657 + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "1227", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "206.81.24.64" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "s9wWU2cBTFzn_XoLnOnq", + "source": { + "@timestamp": "2018-11-27T02:54:09.152Z", + "auditd": { + "sequence": 142460, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "103.100.209.44", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "20193", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "103.100.209.44" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "tNwWU2cBTFzn_XoLnOnq", + "source": { + "@timestamp": "2018-11-27T02:54:09.153Z", + "process": { + "pid": "20193", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "103.100.209.44" + }, + "host": { + "name": "demo-stack-haproxy-01" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "103.100.209.44", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 142461, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + } + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "tdwWU2cBTFzn_XoLnOnq", + "source": { + "@timestamp": "2018-11-27T02:54:09.326Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "auditd": { + "sequence": 142462, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "103.100.209.44" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "103.100.209.44" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "20193", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "103.100.209.44" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "wNwWU2cBTFzn_XoLUOIL", + "source": { + "@timestamp": "2018-11-27T02:53:49.472Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "81.66.86.4", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 192658, + "result": "fail" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1229", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "81.66.86.4" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "wdwWU2cBTFzn_XoLUOIL", + "source": { + "@timestamp": "2018-11-27T02:53:49.473Z", + "auditd": { + "sequence": 192659, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "type": "user-session", + "primary": "sshd", + "secondary": "81.66.86.4" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1229", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "81.66.86.4" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "wtwWU2cBTFzn_XoLUOIL", + "source": { + "@timestamp": "2018-11-27T02:53:49.586Z", + "process": { + "pid": "1229", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "81.66.86.4" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192660, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "81.66.86.4" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "81.66.86.4", + "type": "user-session" + } + } + }, + "beat": { + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "r9wWU2cBTFzn_XoLJ98E", + "source": { + "@timestamp": "2018-11-27T02:53:38.966Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "terminal": "sshd", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "122.15.119.41", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 43297 + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "13265", + "exe": "/usr/sbin/sshd" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "source": { + "ip": "122.15.119.41" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sNwWU2cBTFzn_XoLJ98E", + "source": { + "@timestamp": "2018-11-27T02:53:38.966Z", + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "122.15.119.41", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43298, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "auid": "unset", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13265" + }, + "source": { + "ip": "122.15.119.41" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sdwWU2cBTFzn_XoLJ98E", + "source": { + "@timestamp": "2018-11-27T02:53:39.222Z", + "process": { + "pid": "13265", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "122.15.119.41" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "122.15.119.41", + "type": "user-session", + "primary": "ssh" + } + }, + "sequence": 43299, + "result": "fail", + "session": "unset", + "data": { + "hostname": "122.15.119.41", + "terminal": "ssh", + "op": "PAM:bad_ident" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "4dwVU2cBTFzn_XoLtdX6", + "source": { + "@timestamp": "2018-11-27T02:53:10.025Z", + "process": { + "pid": "31449", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "159.203.168.217" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "159.203.168.217", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44308, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + } + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "4twVU2cBTFzn_XoLtdX6", + "source": { + "@timestamp": "2018-11-27T02:53:10.029Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "159.203.168.217", + "type": "user-session", + "primary": "sshd" + } + }, + "sequence": 44309, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + } + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "31449", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "source": { + "ip": "159.203.168.217" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "49wVU2cBTFzn_XoLtdX6", + "source": { + "@timestamp": "2018-11-27T02:53:10.057Z", + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31449", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "159.203.168.217" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44310, + "result": "fail", + "session": "unset", + "data": { + "terminal": "ssh", + "op": "PAM:bad_ident", + "hostname": "159.203.168.217" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "159.203.168.217", + "type": "user-session" + } + } + }, + "beat": { + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1", + "name": "demo-stack-es-01" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_err", + "action": "error" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YNwVU2cBTFzn_XoLyNec", + "source": { + "@timestamp": "2018-11-27T02:53:14.798Z", + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31453", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.33.45.156" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "178.33.45.156", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44311, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YdwVU2cBTFzn_XoLyNec", + "source": { + "@timestamp": "2018-11-27T02:53:14.798Z", + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "178.33.45.156", + "type": "user-session" + } + }, + "sequence": 44312 + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "pid": "31453", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.33.45.156" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "YtwVU2cBTFzn_XoLyNec", + "source": { + "@timestamp": "2018-11-27T02:53:14.906Z", + "process": { + "pid": "31453", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "178.33.45.156" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 44313, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "178.33.45.156", + "terminal": "ssh" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "secondary": "178.33.45.156", + "type": "user-session", + "primary": "ssh" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "zd0YU2cBTFzn_XoLHgkA", + "source": { + "@timestamp": "2018-11-27T02:55:47.730Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "46.148.192.41", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44315, + "result": "fail" + }, + "host": { + "name": "demo-stack-es-01" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "pid": "31503", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.148.192.41" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "zt0YU2cBTFzn_XoLHgkA", + "source": { + "@timestamp": "2018-11-27T02:55:47.730Z", + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31503", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.148.192.41" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "46.148.192.41", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44316, + "result": "fail" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "z90YU2cBTFzn_XoLHgkA", + "source": { + "@timestamp": "2018-11-27T02:55:47.874Z", + "auditd": { + "sequence": 44317, + "result": "fail", + "session": "unset", + "data": { + "hostname": "46.148.192.41", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "46.148.192.41", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "31503", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "46.148.192.41" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "gdwVU2cBTFzn_XoL5dmB", + "source": { + "@timestamp": "2018-11-27T02:53:22.174Z", + "source": { + "ip": "149.202.54.124" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "149.202.54.124", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "149.202.54.124", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 44314, + "result": "fail" + }, + "beat": { + "name": "demo-stack-es-01", + "hostname": "demo-stack-es-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-es-01" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "31457", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "E90aU2cBTFzn_XoLNjl5", + "source": { + "@timestamp": "2018-11-27T02:58:05.071Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + }, + "object": { + "secondary": "217.8.49.195", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 192673, + "result": "fail", + "session": "unset" + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1272", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "217.8.49.195" + }, + "beat": { + "version": "7.0.0-alpha1", + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "FN0aU2cBTFzn_XoLNjl5", + "source": { + "@timestamp": "2018-11-27T02:58:05.072Z", + "process": { + "pid": "1272", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "217.8.49.195" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192674, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "secondary": "217.8.49.195", + "type": "user-session", + "primary": "sshd" + } + } + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Fd0aU2cBTFzn_XoLNjl5", + "source": { + "@timestamp": "2018-11-27T02:58:05.216Z", + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "217.8.49.195", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "type": "user-session", + "primary": "ssh", + "secondary": "217.8.49.195" + } + }, + "sequence": 192675, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1272", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "217.8.49.195" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5d0aU2cBTFzn_XoLw0Ro", + "source": { + "@timestamp": "2018-11-27T02:58:41.148Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13636" + }, + "source": { + "ip": "197.53.106.203" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(unknown user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "secondary": "197.53.106.203", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43308, + "result": "fail", + "session": "unset" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5t0aU2cBTFzn_XoLw0Ro", + "source": { + "@timestamp": "2018-11-27T02:58:41.148Z", + "process": { + "pid": "13636", + "exe": "/usr/sbin/sshd" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "source": { + "ip": "197.53.106.203" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43309, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "197.53.106.203", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "590aU2cBTFzn_XoLw0Ro", + "source": { + "@timestamp": "2018-11-27T02:58:41.768Z", + "source": { + "ip": "197.53.106.203" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "hostname": "197.53.106.203", + "terminal": "ssh" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "197.53.106.203", + "type": "user-session" + } + }, + "sequence": 43310 + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "process": { + "pid": "13636", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "cN0bU2cBTFzn_XoLDkvX", + "source": { + "@timestamp": "2018-11-27T02:59:00.461Z", + "host": { + "name": "demo-stack-nginx-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "1275", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "71.112.175.120" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 192676, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "71.112.175.120" + }, + "summary": { + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "71.112.175.120", + "type": "user-session" + } + } + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "4t0bU2cBTFzn_XoLaVLG", + "source": { + "@timestamp": "2018-11-27T02:59:23.735Z", + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "198.100.156.214", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43311, + "result": "fail", + "session": "unset" + }, + "event": { + "module": "auditd", + "category": "user-login", + "type": "user_login", + "action": "logged-in" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "13643", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "198.100.156.214" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "490bU2cBTFzn_XoLaVLG", + "source": { + "@timestamp": "2018-11-27T02:59:23.735Z", + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "terminal": "sshd", + "acct": "(invalid user)" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + }, + "object": { + "primary": "sshd", + "secondary": "198.100.156.214", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43312, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13643" + }, + "source": { + "ip": "198.100.156.214" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "5N0bU2cBTFzn_XoLaVLG", + "source": { + "@timestamp": "2018-11-27T02:59:23.779Z", + "auditd": { + "session": "unset", + "data": { + "terminal": "ssh", + "hostname": "198.100.156.214", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "secondary": "root", + "primary": "unset" + }, + "object": { + "primary": "ssh", + "secondary": "198.100.156.214", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43313, + "result": "fail" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "13643", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "198.100.156.214" + }, + "network": { + "direction": "incoming" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Xd0bU2cBTFzn_XoLclNQ", + "source": { + "@timestamp": "2018-11-27T02:59:25.924Z", + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "auid": "unset", + "name_map": { + "uid": "root" + }, + "uid": "0" + }, + "process": { + "pid": "13645", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.121.110.50" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "data": { + "terminal": "sshd", + "acct": "(unknown user)", + "op": "login" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "91.121.110.50", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + } + }, + "sequence": 43314, + "result": "fail", + "session": "unset" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Xt0bU2cBTFzn_XoLclNQ", + "source": { + "@timestamp": "2018-11-27T02:59:25.924Z", + "source": { + "ip": "91.121.110.50" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43315, + "result": "fail", + "session": "unset", + "data": { + "terminal": "sshd", + "op": "login", + "acct": "(invalid user)" + }, + "summary": { + "object": { + "secondary": "91.121.110.50", + "type": "user-session", + "primary": "sshd" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "(invalid user)" + } + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13645" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "X90bU2cBTFzn_XoLclNQ", + "source": { + "@timestamp": "2018-11-27T02:59:26.032Z", + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "action": "error", + "module": "auditd", + "category": "user-login", + "type": "user_err" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "13645", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "91.121.110.50" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43316, + "result": "fail", + "session": "unset", + "data": { + "op": "PAM:bad_ident", + "terminal": "ssh", + "hostname": "91.121.110.50" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "91.121.110.50", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_t0bU2cBTFzn_XoLelQ5", + "source": { + "@timestamp": "2018-11-27T02:59:27.948Z", + "source": { + "ip": "51.38.82.60" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 43317, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "object": { + "primary": "sshd", + "secondary": "51.38.82.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(unknown user)", + "primary": "unset" + } + } + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "process": { + "pid": "13647", + "exe": "/usr/sbin/sshd" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "_90bU2cBTFzn_XoLelQ5", + "source": { + "@timestamp": "2018-11-27T02:59:27.948Z", + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13647" + }, + "source": { + "ip": "51.38.82.60" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "summary": { + "object": { + "primary": "sshd", + "secondary": "51.38.82.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "secondary": "(invalid user)", + "primary": "unset" + } + }, + "sequence": 43318, + "result": "fail", + "session": "unset", + "data": { + "op": "login", + "acct": "(invalid user)", + "terminal": "sshd" + } + }, + "event": { + "action": "logged-in", + "module": "auditd", + "category": "user-login", + "type": "user_login" + }, + "user": { + "uid": "0", + "name_map": { + "uid": "root" + }, + "auid": "unset" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "AN0bU2cBTFzn_XoLelU5", + "source": { + "@timestamp": "2018-11-27T02:59:28.060Z", + "auditd": { + "data": { + "hostname": "51.38.82.60", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "51.38.82.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43319, + "result": "fail", + "session": "unset" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13647" + }, + "source": { + "ip": "51.38.82.60" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Xa2ipWkBCQofM5eXEgsv", + "source": { + "@timestamp": "2018-11-27T02:59:28.060Z", + "auditd": { + "data": { + "hostname": "51.38.82.60", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "ssh", + "secondary": "51.38.82.60", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 43319, + "result": "fail", + "session": "unset" + }, + "destination" : { + "ip" : "0.0.0.0", + "port" : "22" + }, + "event": { + "type": "user_err", + "action": "error", + "module": "auditd", + "category": "user-login" + }, + "user" : { + "group" : { + "name" : "root", + "id" : "0" + }, + "id" : "0", + "name" : "root" + }, + "process": { + "exe": "/usr/sbin/sshd", + "pid": "13647" + }, + "source": { + "ip": "51.38.82.60" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-mysql-01", + "hostname": "demo-stack-mysql-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-mysql-01" + } + } + } +} diff --git a/x-pack/test/functional/es_archives/auditbeat/kpi_hosts/data.json b/x-pack/test/functional/es_archives/auditbeat/kpi_hosts/data.json new file mode 100644 index 000000000000..470e38e62ba5 --- /dev/null +++ b/x-pack/test/functional/es_archives/auditbeat/kpi_hosts/data.json @@ -0,0 +1,194 @@ +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "Rs93UmcBTFzn_XoLWT6M", + "source": { + "@timestamp": "2018-11-27T00:00:11.544Z", + "process": { + "pid": "31964", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "128.199.87.213" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-nginx-01", + "hostname": "demo-stack-nginx-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-nginx-01" + }, + "auditd": { + "session": "unset", + "data": { + "hostname": "128.199.87.213", + "terminal": "ssh", + "op": "PAM:bad_ident" + }, + "summary": { + "object": { + "primary": "ssh", + "secondary": "128.199.87.213", + "type": "user-session" + }, + "how": "/usr/sbin/sshd", + "actor": { + "primary": "unset", + "secondary": "root" + } + }, + "sequence": 192383, + "result": "fail" + }, + "event": { + "category": "user-login", + "type": "user_err", + "action": "error", + "module": "auditd" + }, + "user": { + "name_map": { + "uid": "root" + }, + "auid": "unset", + "uid": "0" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "6Nr4UmcBTFzn_XoL4l6d", + "source": { + "@timestamp": "2018-11-27T02:21:40.914Z", + "host": { + "name": "demo-stack-haproxy-01" + }, + "user": { + "auid": "unset", + "uid": "0", + "name_map": { + "uid": "root" + } + }, + "process": { + "pid": "20001", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "82.62.233.163" + }, + "network": { + "direction": "incoming" + }, + "auditd": { + "sequence": 142431, + "result": "fail", + "session": "unset", + "data": { + "acct": "(unknown user)", + "op": "login", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "82.62.233.163", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + } + }, + "event": { + "category": "user-login", + "type": "user_login", + "action": "logged-in", + "module": "auditd" + }, + "beat": { + "name": "demo-stack-haproxy-01", + "hostname": "demo-stack-haproxy-01", + "version": "7.0.0-alpha1" + } + } + } +} + +{ + "type": "doc", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "type": "doc", + "id": "sdwQU2cBTFzn_XoLA1gL", + "source": { + "@timestamp": "2018-11-27T02:46:56.545Z", + "process": { + "pid": "26473", + "exe": "/usr/sbin/sshd" + }, + "source": { + "ip": "35.243.183.165" + }, + "network": { + "direction": "incoming" + }, + "beat": { + "name": "demo-stack-apache-01", + "hostname": "demo-stack-apache-01", + "version": "7.0.0-alpha1" + }, + "host": { + "name": "demo-stack-apache-01" + }, + "auditd": { + "session": "unset", + "data": { + "op": "login", + "acct": "(unknown user)", + "terminal": "sshd" + }, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown user)" + }, + "object": { + "primary": "sshd", + "secondary": "35.243.183.165", + "type": "user-session" + }, + "how": "/usr/sbin/sshd" + }, + "sequence": 184472, + "result": "fail" + }, + "event": { + "type": "user_login", + "action": "logged-in", + "module": "auditd", + "category": "user-login" + }, + "user": { + "name_map": { + "uid": "root" + }, + "uid": "0", + "auid": "unset" + } + } + } +} diff --git a/x-pack/test/functional/es_archives/auditbeat/kpi_hosts/mappings.json b/x-pack/test/functional/es_archives/auditbeat/kpi_hosts/mappings.json new file mode 100644 index 000000000000..96aec998fcdc --- /dev/null +++ b/x-pack/test/functional/es_archives/auditbeat/kpi_hosts/mappings.json @@ -0,0 +1,1903 @@ +{ + "type": "index", + "value": { + "index": "auditbeat-7.0.0-alpha1-2018.11.27", + "settings": { + "index": { + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "refresh_interval": "5s", + "number_of_shards": "1", + "query": { + "default_field": [ + "beat.name", + "beat.hostname", + "beat.timezone", + "beat.version", + "tags", + "error.message", + "error.type", + "meta.cloud.provider", + "meta.cloud.instance_id", + "meta.cloud.instance_name", + "meta.cloud.machine_type", + "meta.cloud.availability_zone", + "meta.cloud.project_id", + "meta.cloud.region", + "docker.container.id", + "docker.container.image", + "docker.container.name", + "host.name", + "host.id", + "host.architecture", + "host.os.platform", + "host.os.version", + "host.os.family", + "host.mac", + "kubernetes.pod.name", + "kubernetes.pod.uid", + "kubernetes.namespace", + "kubernetes.node.name", + "kubernetes.container.name", + "kubernetes.container.image", + "event.module", + "event.action", + "file.path", + "raw", + "file.target_path", + "file.type", + "file.device", + "file.inode", + "file.uid", + "file.owner", + "file.gid", + "file.group", + "file.mode", + "file.origin", + "raw", + "file.selinux.user", + "file.selinux.role", + "file.selinux.domain", + "file.selinux.level", + "event.category", + "event.type", + "user.auid", + "user.uid", + "user.euid", + "user.fsuid", + "user.suid", + "user.gid", + "user.egid", + "user.sgid", + "user.fsgid", + "user.name_map.auid", + "user.name_map.uid", + "user.name_map.euid", + "user.name_map.fsuid", + "user.name_map.suid", + "user.name_map.gid", + "user.name_map.egid", + "user.name_map.sgid", + "user.name_map.fsgid", + "user.selinux.user", + "user.selinux.role", + "user.selinux.domain", + "user.selinux.level", + "user.selinux.category", + "process.pid", + "process.ppid", + "process.name", + "process.title", + "process.exe", + "process.cwd", + "process.args", + "source.port", + "source.hostname", + "source.path", + "destination.port", + "destination.hostname", + "destination.path", + "network.direction", + "auditd.session", + "auditd.result", + "auditd.summary.actor.primary", + "auditd.summary.actor.secondary", + "auditd.summary.object.type", + "auditd.summary.object.primary", + "auditd.summary.object.secondary", + "auditd.summary.how", + "auditd.paths.inode", + "auditd.paths.dev", + "auditd.paths.obj_user", + "auditd.paths.obj_role", + "auditd.paths.obj_domain", + "auditd.paths.obj_level", + "auditd.paths.objtype", + "auditd.paths.ouid", + "auditd.paths.rdev", + "auditd.paths.nametype", + "auditd.paths.ogid", + "auditd.paths.item", + "auditd.paths.mode", + "auditd.paths.name", + "auditd.data.action", + "auditd.data.minor", + "auditd.data.acct", + "auditd.data.addr", + "auditd.data.cipher", + "auditd.data.id", + "auditd.data.entries", + "auditd.data.kind", + "auditd.data.ksize", + "auditd.data.spid", + "auditd.data.arch", + "auditd.data.argc", + "auditd.data.major", + "auditd.data.unit", + "auditd.data.table", + "auditd.data.terminal", + "auditd.data.grantors", + "auditd.data.direction", + "auditd.data.op", + "auditd.data.tty", + "auditd.data.syscall", + "auditd.data.data", + "auditd.data.family", + "auditd.data.mac", + "auditd.data.pfs", + "auditd.data.items", + "auditd.data.a0", + "auditd.data.a1", + "auditd.data.a2", + "auditd.data.a3", + "auditd.data.hostname", + "auditd.data.lport", + "auditd.data.rport", + "auditd.data.exit", + "auditd.data.fp", + "auditd.data.laddr", + "auditd.data.sport", + "auditd.data.capability", + "auditd.data.nargs", + "auditd.data.new-enabled", + "auditd.data.audit_backlog_limit", + "auditd.data.dir", + "auditd.data.cap_pe", + "auditd.data.model", + "auditd.data.new_pp", + "auditd.data.old-enabled", + "auditd.data.oauid", + "auditd.data.old", + "auditd.data.banners", + "auditd.data.feature", + "auditd.data.vm-ctx", + "auditd.data.opid", + "auditd.data.seperms", + "auditd.data.seresult", + "auditd.data.new-rng", + "auditd.data.old-net", + "auditd.data.sigev_signo", + "auditd.data.ino", + "auditd.data.old_enforcing", + "auditd.data.old-vcpu", + "auditd.data.range", + "auditd.data.res", + "auditd.data.added", + "auditd.data.fam", + "auditd.data.nlnk-pid", + "auditd.data.subj", + "auditd.data.a[0-3]", + "auditd.data.cgroup", + "auditd.data.kernel", + "auditd.data.ocomm", + "auditd.data.new-net", + "auditd.data.permissive", + "auditd.data.class", + "auditd.data.compat", + "auditd.data.fi", + "auditd.data.changed", + "auditd.data.msg", + "auditd.data.dport", + "auditd.data.new-seuser", + "auditd.data.invalid_context", + "auditd.data.dmac", + "auditd.data.ipx-net", + "auditd.data.iuid", + "auditd.data.macproto", + "auditd.data.obj", + "auditd.data.ipid", + "auditd.data.new-fs", + "auditd.data.vm-pid", + "auditd.data.cap_pi", + "auditd.data.old-auid", + "auditd.data.oses", + "auditd.data.fd", + "auditd.data.igid", + "auditd.data.new-disk", + "auditd.data.parent", + "auditd.data.len", + "auditd.data.oflag", + "auditd.data.uuid", + "auditd.data.code", + "auditd.data.nlnk-grp", + "auditd.data.cap_fp", + "auditd.data.new-mem", + "auditd.data.seperm", + "auditd.data.enforcing", + "auditd.data.new-chardev", + "auditd.data.old-rng", + "auditd.data.outif", + "auditd.data.cmd", + "auditd.data.hook", + "auditd.data.new-level", + "auditd.data.sauid", + "auditd.data.sig", + "auditd.data.audit_backlog_wait_time", + "auditd.data.printer", + "auditd.data.old-mem", + "auditd.data.perm", + "auditd.data.old_pi", + "auditd.data.state", + "auditd.data.format", + "auditd.data.new_gid", + "auditd.data.tcontext", + "auditd.data.maj", + "auditd.data.watch", + "auditd.data.device", + "auditd.data.grp", + "auditd.data.bool", + "auditd.data.icmp_type", + "auditd.data.new_lock", + "auditd.data.old_prom", + "auditd.data.acl", + "auditd.data.ip", + "auditd.data.new_pi", + "auditd.data.default-context", + "auditd.data.inode_gid", + "auditd.data.new-log_passwd", + "auditd.data.new_pe", + "auditd.data.selected-context", + "auditd.data.cap_fver", + "auditd.data.file", + "auditd.data.net", + "auditd.data.virt", + "auditd.data.cap_pp", + "auditd.data.old-range", + "auditd.data.resrc", + "auditd.data.new-range", + "auditd.data.obj_gid", + "auditd.data.proto", + "auditd.data.old-disk", + "auditd.data.audit_failure", + "auditd.data.inif", + "auditd.data.vm", + "auditd.data.flags", + "auditd.data.nlnk-fam", + "auditd.data.old-fs", + "auditd.data.old-ses", + "auditd.data.seqno", + "auditd.data.fver", + "auditd.data.qbytes", + "auditd.data.seuser", + "auditd.data.cap_fe", + "auditd.data.new-vcpu", + "auditd.data.old-level", + "auditd.data.old_pp", + "auditd.data.daddr", + "auditd.data.old-role", + "auditd.data.ioctlcmd", + "auditd.data.smac", + "auditd.data.apparmor", + "auditd.data.fe", + "auditd.data.perm_mask", + "auditd.data.ses", + "auditd.data.cap_fi", + "auditd.data.obj_uid", + "auditd.data.reason", + "auditd.data.list", + "auditd.data.old_lock", + "auditd.data.bus", + "auditd.data.old_pe", + "auditd.data.new-role", + "auditd.data.prom", + "auditd.data.uri", + "auditd.data.audit_enabled", + "auditd.data.old-log_passwd", + "auditd.data.old-seuser", + "auditd.data.per", + "auditd.data.scontext", + "auditd.data.tclass", + "auditd.data.ver", + "auditd.data.new", + "auditd.data.val", + "auditd.data.img-ctx", + "auditd.data.old-chardev", + "auditd.data.old_val", + "auditd.data.success", + "auditd.data.inode_uid", + "auditd.data.removed", + "auditd.data.socket.port", + "auditd.data.socket.saddr", + "auditd.data.socket.addr", + "auditd.data.socket.family", + "auditd.data.socket.path", + "auditd.messages", + "auditd.warnings", + "geoip.continent_name", + "geoip.city_name", + "geoip.region_name", + "geoip.country_iso_code", + "hash.blake2b_256", + "hash.blake2b_384", + "hash.blake2b_512", + "hash.md5", + "hash.sha1", + "hash.sha224", + "hash.sha256", + "hash.sha384", + "hash.sha3_224", + "hash.sha3_256", + "hash.sha3_384", + "hash.sha3_512", + "hash.sha512", + "hash.sha512_224", + "hash.sha512_256", + "hash.xxh64", + "fields.*" + ] + }, + "number_of_replicas": "0" + } + }, + "mappings": { + "_meta": { + "version": "7.0.0-alpha1" + }, + "dynamic_templates": [ + { + "fields": { + "path_match": "fields.*", + "match_mapping_type": "string", + "mapping": { + "type": "keyword" + } + } + }, + { + "docker.container.labels": { + "path_match": "docker.container.labels.*", + "match_mapping_type": "string", + "mapping": { + "type": "keyword" + } + } + }, + { + "strings_as_keyword": { + "match_mapping_type": "string", + "mapping": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + ], + "date_detection": false, + "properties": { + "@timestamp": { + "type": "date" + }, + "auditd": { + "properties": { + "data": { + "properties": { + "a0": { + "type": "keyword", + "ignore_above": 1024 + }, + "a1": { + "type": "keyword", + "ignore_above": 1024 + }, + "a2": { + "type": "keyword", + "ignore_above": 1024 + }, + "a3": { + "type": "keyword", + "ignore_above": 1024 + }, + "a[0-3]": { + "type": "keyword", + "ignore_above": 1024 + }, + "acct": { + "type": "keyword", + "ignore_above": 1024 + }, + "acl": { + "type": "keyword", + "ignore_above": 1024 + }, + "action": { + "type": "keyword", + "ignore_above": 1024 + }, + "added": { + "type": "keyword", + "ignore_above": 1024 + }, + "addr": { + "type": "keyword", + "ignore_above": 1024 + }, + "apparmor": { + "type": "keyword", + "ignore_above": 1024 + }, + "arch": { + "type": "keyword", + "ignore_above": 1024 + }, + "argc": { + "type": "keyword", + "ignore_above": 1024 + }, + "audit_backlog_limit": { + "type": "keyword", + "ignore_above": 1024 + }, + "audit_backlog_wait_time": { + "type": "keyword", + "ignore_above": 1024 + }, + "audit_enabled": { + "type": "keyword", + "ignore_above": 1024 + }, + "audit_failure": { + "type": "keyword", + "ignore_above": 1024 + }, + "banners": { + "type": "keyword", + "ignore_above": 1024 + }, + "bool": { + "type": "keyword", + "ignore_above": 1024 + }, + "bus": { + "type": "keyword", + "ignore_above": 1024 + }, + "cap_fe": { + "type": "keyword", + "ignore_above": 1024 + }, + "cap_fi": { + "type": "keyword", + "ignore_above": 1024 + }, + "cap_fp": { + "type": "keyword", + "ignore_above": 1024 + }, + "cap_fver": { + "type": "keyword", + "ignore_above": 1024 + }, + "cap_pe": { + "type": "keyword", + "ignore_above": 1024 + }, + "cap_pi": { + "type": "keyword", + "ignore_above": 1024 + }, + "cap_pp": { + "type": "keyword", + "ignore_above": 1024 + }, + "capability": { + "type": "keyword", + "ignore_above": 1024 + }, + "cgroup": { + "type": "keyword", + "ignore_above": 1024 + }, + "changed": { + "type": "keyword", + "ignore_above": 1024 + }, + "cipher": { + "type": "keyword", + "ignore_above": 1024 + }, + "class": { + "type": "keyword", + "ignore_above": 1024 + }, + "cmd": { + "type": "keyword", + "ignore_above": 1024 + }, + "code": { + "type": "keyword", + "ignore_above": 1024 + }, + "compat": { + "type": "keyword", + "ignore_above": 1024 + }, + "daddr": { + "type": "keyword", + "ignore_above": 1024 + }, + "data": { + "type": "keyword", + "ignore_above": 1024 + }, + "default-context": { + "type": "keyword", + "ignore_above": 1024 + }, + "device": { + "type": "keyword", + "ignore_above": 1024 + }, + "dir": { + "type": "keyword", + "ignore_above": 1024 + }, + "direction": { + "type": "keyword", + "ignore_above": 1024 + }, + "dmac": { + "type": "keyword", + "ignore_above": 1024 + }, + "dport": { + "type": "keyword", + "ignore_above": 1024 + }, + "enforcing": { + "type": "keyword", + "ignore_above": 1024 + }, + "entries": { + "type": "keyword", + "ignore_above": 1024 + }, + "exit": { + "type": "keyword", + "ignore_above": 1024 + }, + "fam": { + "type": "keyword", + "ignore_above": 1024 + }, + "family": { + "type": "keyword", + "ignore_above": 1024 + }, + "fd": { + "type": "keyword", + "ignore_above": 1024 + }, + "fe": { + "type": "keyword", + "ignore_above": 1024 + }, + "feature": { + "type": "keyword", + "ignore_above": 1024 + }, + "fi": { + "type": "keyword", + "ignore_above": 1024 + }, + "file": { + "type": "keyword", + "ignore_above": 1024 + }, + "flags": { + "type": "keyword", + "ignore_above": 1024 + }, + "format": { + "type": "keyword", + "ignore_above": 1024 + }, + "fp": { + "type": "keyword", + "ignore_above": 1024 + }, + "fver": { + "type": "keyword", + "ignore_above": 1024 + }, + "grantors": { + "type": "keyword", + "ignore_above": 1024 + }, + "grp": { + "type": "keyword", + "ignore_above": 1024 + }, + "hook": { + "type": "keyword", + "ignore_above": 1024 + }, + "hostname": { + "type": "keyword", + "ignore_above": 1024 + }, + "icmp_type": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "igid": { + "type": "keyword", + "ignore_above": 1024 + }, + "img-ctx": { + "type": "keyword", + "ignore_above": 1024 + }, + "inif": { + "type": "keyword", + "ignore_above": 1024 + }, + "ino": { + "type": "keyword", + "ignore_above": 1024 + }, + "inode_gid": { + "type": "keyword", + "ignore_above": 1024 + }, + "inode_uid": { + "type": "keyword", + "ignore_above": 1024 + }, + "invalid_context": { + "type": "keyword", + "ignore_above": 1024 + }, + "ioctlcmd": { + "type": "keyword", + "ignore_above": 1024 + }, + "ip": { + "type": "keyword", + "ignore_above": 1024 + }, + "ipid": { + "type": "keyword", + "ignore_above": 1024 + }, + "ipx-net": { + "type": "keyword", + "ignore_above": 1024 + }, + "items": { + "type": "keyword", + "ignore_above": 1024 + }, + "iuid": { + "type": "keyword", + "ignore_above": 1024 + }, + "kernel": { + "type": "keyword", + "ignore_above": 1024 + }, + "kind": { + "type": "keyword", + "ignore_above": 1024 + }, + "ksize": { + "type": "keyword", + "ignore_above": 1024 + }, + "laddr": { + "type": "keyword", + "ignore_above": 1024 + }, + "len": { + "type": "keyword", + "ignore_above": 1024 + }, + "list": { + "type": "keyword", + "ignore_above": 1024 + }, + "lport": { + "type": "keyword", + "ignore_above": 1024 + }, + "mac": { + "type": "keyword", + "ignore_above": 1024 + }, + "macproto": { + "type": "keyword", + "ignore_above": 1024 + }, + "maj": { + "type": "keyword", + "ignore_above": 1024 + }, + "major": { + "type": "keyword", + "ignore_above": 1024 + }, + "minor": { + "type": "keyword", + "ignore_above": 1024 + }, + "model": { + "type": "keyword", + "ignore_above": 1024 + }, + "msg": { + "type": "keyword", + "ignore_above": 1024 + }, + "nargs": { + "type": "keyword", + "ignore_above": 1024 + }, + "net": { + "type": "keyword", + "ignore_above": 1024 + }, + "new": { + "type": "keyword", + "ignore_above": 1024 + }, + "new-chardev": { + "type": "keyword", + "ignore_above": 1024 + }, + "new-disk": { + "type": "keyword", + "ignore_above": 1024 + }, + "new-enabled": { + "type": "keyword", + "ignore_above": 1024 + }, + "new-fs": { + "type": "keyword", + "ignore_above": 1024 + }, + "new-level": { + "type": "keyword", + "ignore_above": 1024 + }, + "new-log_passwd": { + "type": "keyword", + "ignore_above": 1024 + }, + "new-mem": { + "type": "keyword", + "ignore_above": 1024 + }, + "new-net": { + "type": "keyword", + "ignore_above": 1024 + }, + "new-range": { + "type": "keyword", + "ignore_above": 1024 + }, + "new-rng": { + "type": "keyword", + "ignore_above": 1024 + }, + "new-role": { + "type": "keyword", + "ignore_above": 1024 + }, + "new-seuser": { + "type": "keyword", + "ignore_above": 1024 + }, + "new-vcpu": { + "type": "keyword", + "ignore_above": 1024 + }, + "new_gid": { + "type": "keyword", + "ignore_above": 1024 + }, + "new_lock": { + "type": "keyword", + "ignore_above": 1024 + }, + "new_pe": { + "type": "keyword", + "ignore_above": 1024 + }, + "new_pi": { + "type": "keyword", + "ignore_above": 1024 + }, + "new_pp": { + "type": "keyword", + "ignore_above": 1024 + }, + "nlnk-fam": { + "type": "keyword", + "ignore_above": 1024 + }, + "nlnk-grp": { + "type": "keyword", + "ignore_above": 1024 + }, + "nlnk-pid": { + "type": "keyword", + "ignore_above": 1024 + }, + "oauid": { + "type": "keyword", + "ignore_above": 1024 + }, + "obj": { + "type": "keyword", + "ignore_above": 1024 + }, + "obj_gid": { + "type": "keyword", + "ignore_above": 1024 + }, + "obj_uid": { + "type": "keyword", + "ignore_above": 1024 + }, + "ocomm": { + "type": "keyword", + "ignore_above": 1024 + }, + "oflag": { + "type": "keyword", + "ignore_above": 1024 + }, + "old": { + "type": "keyword", + "ignore_above": 1024 + }, + "old-auid": { + "type": "keyword", + "ignore_above": 1024 + }, + "old-chardev": { + "type": "keyword", + "ignore_above": 1024 + }, + "old-disk": { + "type": "keyword", + "ignore_above": 1024 + }, + "old-enabled": { + "type": "keyword", + "ignore_above": 1024 + }, + "old-fs": { + "type": "keyword", + "ignore_above": 1024 + }, + "old-level": { + "type": "keyword", + "ignore_above": 1024 + }, + "old-log_passwd": { + "type": "keyword", + "ignore_above": 1024 + }, + "old-mem": { + "type": "keyword", + "ignore_above": 1024 + }, + "old-net": { + "type": "keyword", + "ignore_above": 1024 + }, + "old-range": { + "type": "keyword", + "ignore_above": 1024 + }, + "old-rng": { + "type": "keyword", + "ignore_above": 1024 + }, + "old-role": { + "type": "keyword", + "ignore_above": 1024 + }, + "old-ses": { + "type": "keyword", + "ignore_above": 1024 + }, + "old-seuser": { + "type": "keyword", + "ignore_above": 1024 + }, + "old-vcpu": { + "type": "keyword", + "ignore_above": 1024 + }, + "old_enforcing": { + "type": "keyword", + "ignore_above": 1024 + }, + "old_lock": { + "type": "keyword", + "ignore_above": 1024 + }, + "old_pe": { + "type": "keyword", + "ignore_above": 1024 + }, + "old_pi": { + "type": "keyword", + "ignore_above": 1024 + }, + "old_pp": { + "type": "keyword", + "ignore_above": 1024 + }, + "old_prom": { + "type": "keyword", + "ignore_above": 1024 + }, + "old_val": { + "type": "keyword", + "ignore_above": 1024 + }, + "op": { + "type": "keyword", + "ignore_above": 1024 + }, + "opid": { + "type": "keyword", + "ignore_above": 1024 + }, + "oses": { + "type": "keyword", + "ignore_above": 1024 + }, + "outif": { + "type": "keyword", + "ignore_above": 1024 + }, + "parent": { + "type": "keyword", + "ignore_above": 1024 + }, + "per": { + "type": "keyword", + "ignore_above": 1024 + }, + "perm": { + "type": "keyword", + "ignore_above": 1024 + }, + "perm_mask": { + "type": "keyword", + "ignore_above": 1024 + }, + "permissive": { + "type": "keyword", + "ignore_above": 1024 + }, + "pfs": { + "type": "keyword", + "ignore_above": 1024 + }, + "printer": { + "type": "keyword", + "ignore_above": 1024 + }, + "prom": { + "type": "keyword", + "ignore_above": 1024 + }, + "proto": { + "type": "keyword", + "ignore_above": 1024 + }, + "qbytes": { + "type": "keyword", + "ignore_above": 1024 + }, + "range": { + "type": "keyword", + "ignore_above": 1024 + }, + "reason": { + "type": "keyword", + "ignore_above": 1024 + }, + "removed": { + "type": "keyword", + "ignore_above": 1024 + }, + "res": { + "type": "keyword", + "ignore_above": 1024 + }, + "resrc": { + "type": "keyword", + "ignore_above": 1024 + }, + "rport": { + "type": "keyword", + "ignore_above": 1024 + }, + "sauid": { + "type": "keyword", + "ignore_above": 1024 + }, + "scontext": { + "type": "keyword", + "ignore_above": 1024 + }, + "selected-context": { + "type": "keyword", + "ignore_above": 1024 + }, + "seperm": { + "type": "keyword", + "ignore_above": 1024 + }, + "seperms": { + "type": "keyword", + "ignore_above": 1024 + }, + "seqno": { + "type": "keyword", + "ignore_above": 1024 + }, + "seresult": { + "type": "keyword", + "ignore_above": 1024 + }, + "ses": { + "type": "keyword", + "ignore_above": 1024 + }, + "seuser": { + "type": "keyword", + "ignore_above": 1024 + }, + "sig": { + "type": "keyword", + "ignore_above": 1024 + }, + "sigev_signo": { + "type": "keyword", + "ignore_above": 1024 + }, + "smac": { + "type": "keyword", + "ignore_above": 1024 + }, + "socket": { + "properties": { + "addr": { + "type": "keyword", + "ignore_above": 1024 + }, + "family": { + "type": "keyword", + "ignore_above": 1024 + }, + "path": { + "type": "keyword", + "ignore_above": 1024 + }, + "port": { + "type": "keyword", + "ignore_above": 1024 + }, + "saddr": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "spid": { + "type": "keyword", + "ignore_above": 1024 + }, + "sport": { + "type": "keyword", + "ignore_above": 1024 + }, + "state": { + "type": "keyword", + "ignore_above": 1024 + }, + "subj": { + "type": "keyword", + "ignore_above": 1024 + }, + "success": { + "type": "keyword", + "ignore_above": 1024 + }, + "syscall": { + "type": "keyword", + "ignore_above": 1024 + }, + "table": { + "type": "keyword", + "ignore_above": 1024 + }, + "tclass": { + "type": "keyword", + "ignore_above": 1024 + }, + "tcontext": { + "type": "keyword", + "ignore_above": 1024 + }, + "terminal": { + "type": "keyword", + "ignore_above": 1024 + }, + "tty": { + "type": "keyword", + "ignore_above": 1024 + }, + "unit": { + "type": "keyword", + "ignore_above": 1024 + }, + "uri": { + "type": "keyword", + "ignore_above": 1024 + }, + "uuid": { + "type": "keyword", + "ignore_above": 1024 + }, + "val": { + "type": "keyword", + "ignore_above": 1024 + }, + "ver": { + "type": "keyword", + "ignore_above": 1024 + }, + "virt": { + "type": "keyword", + "ignore_above": 1024 + }, + "vm": { + "type": "keyword", + "ignore_above": 1024 + }, + "vm-ctx": { + "type": "keyword", + "ignore_above": 1024 + }, + "vm-pid": { + "type": "keyword", + "ignore_above": 1024 + }, + "watch": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "messages": { + "type": "text", + "norms": false + }, + "paths": { + "properties": { + "dev": { + "type": "keyword", + "ignore_above": 1024 + }, + "inode": { + "type": "keyword", + "ignore_above": 1024 + }, + "item": { + "type": "keyword", + "ignore_above": 1024 + }, + "mode": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "nametype": { + "type": "keyword", + "ignore_above": 1024 + }, + "obj_domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "obj_level": { + "type": "keyword", + "ignore_above": 1024 + }, + "obj_role": { + "type": "keyword", + "ignore_above": 1024 + }, + "obj_user": { + "type": "keyword", + "ignore_above": 1024 + }, + "objtype": { + "type": "keyword", + "ignore_above": 1024 + }, + "ogid": { + "type": "keyword", + "ignore_above": 1024 + }, + "ouid": { + "type": "keyword", + "ignore_above": 1024 + }, + "rdev": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "result": { + "type": "keyword", + "ignore_above": 1024 + }, + "sequence": { + "type": "long" + }, + "session": { + "type": "keyword", + "ignore_above": 1024 + }, + "summary": { + "properties": { + "actor": { + "properties": { + "primary": { + "type": "keyword", + "ignore_above": 1024 + }, + "secondary": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "how": { + "type": "keyword", + "ignore_above": 1024 + }, + "object": { + "properties": { + "primary": { + "type": "keyword", + "ignore_above": 1024 + }, + "secondary": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "warnings": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "beat": { + "properties": { + "hostname": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "timezone": { + "type": "keyword", + "ignore_above": 1024 + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "destination": { + "properties": { + "hostname": { + "type": "keyword", + "ignore_above": 1024 + }, + "ip": { + "type": "ip" + }, + "path": { + "type": "keyword", + "ignore_above": 1024 + }, + "port": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "docker": { + "properties": { + "container": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "image": { + "type": "keyword", + "ignore_above": 1024 + }, + "labels": { + "type": "object" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "error": { + "properties": { + "code": { + "type": "long" + }, + "message": { + "type": "text", + "norms": false + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "event": { + "properties": { + "action": { + "type": "keyword", + "ignore_above": 1024 + }, + "category": { + "type": "keyword", + "ignore_above": 1024 + }, + "module": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "fields": { + "type": "object" + }, + "file": { + "properties": { + "ctime": { + "type": "date" + }, + "device": { + "type": "keyword", + "ignore_above": 1024 + }, + "gid": { + "type": "keyword", + "ignore_above": 1024 + }, + "group": { + "type": "keyword", + "ignore_above": 1024 + }, + "inode": { + "type": "keyword", + "ignore_above": 1024 + }, + "mode": { + "type": "keyword", + "ignore_above": 1024 + }, + "mtime": { + "type": "date" + }, + "origin": { + "type": "text", + "norms": false, + "fields": { + "raw": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "owner": { + "type": "keyword", + "ignore_above": 1024 + }, + "path": { + "type": "text", + "norms": false, + "fields": { + "raw": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "selinux": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "level": { + "type": "keyword", + "ignore_above": 1024 + }, + "role": { + "type": "keyword", + "ignore_above": 1024 + }, + "user": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "setgid": { + "type": "boolean" + }, + "setuid": { + "type": "boolean" + }, + "size": { + "type": "long" + }, + "target_path": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "uid": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "geoip": { + "properties": { + "city_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "continent_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "location": { + "type": "geo_point" + }, + "region_name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "hash": { + "properties": { + "blake2b_256": { + "type": "keyword", + "ignore_above": 1024 + }, + "blake2b_384": { + "type": "keyword", + "ignore_above": 1024 + }, + "blake2b_512": { + "type": "keyword", + "ignore_above": 1024 + }, + "md5": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha1": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha224": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha256": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha384": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha3_224": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha3_256": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha3_384": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha3_512": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha512": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha512_224": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha512_256": { + "type": "keyword", + "ignore_above": 1024 + }, + "xxh64": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "host": { + "properties": { + "architecture": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "os": { + "properties": { + "family": { + "type": "keyword", + "ignore_above": 1024 + }, + "platform": { + "type": "keyword", + "ignore_above": 1024 + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "kubernetes": { + "properties": { + "annotations": { + "type": "object" + }, + "container": { + "properties": { + "image": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "labels": { + "type": "object" + }, + "namespace": { + "type": "keyword", + "ignore_above": 1024 + }, + "node": { + "properties": { + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "pod": { + "properties": { + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "uid": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "meta": { + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "type": "keyword", + "ignore_above": 1024 + }, + "instance_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "instance_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "machine_type": { + "type": "keyword", + "ignore_above": 1024 + }, + "project_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "provider": { + "type": "keyword", + "ignore_above": 1024 + }, + "region": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "network": { + "properties": { + "direction": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "process": { + "properties": { + "args": { + "type": "keyword", + "ignore_above": 1024 + }, + "cwd": { + "type": "keyword", + "ignore_above": 1024 + }, + "exe": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "pid": { + "type": "keyword", + "ignore_above": 1024 + }, + "ppid": { + "type": "keyword", + "ignore_above": 1024 + }, + "title": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "source": { + "properties": { + "hostname": { + "type": "keyword", + "ignore_above": 1024 + }, + "ip": { + "type": "ip" + }, + "path": { + "type": "keyword", + "ignore_above": 1024 + }, + "port": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "tags": { + "type": "keyword", + "ignore_above": 1024 + }, + "user": { + "properties": { + "auid": { + "type": "keyword", + "ignore_above": 1024 + }, + "egid": { + "type": "keyword", + "ignore_above": 1024 + }, + "euid": { + "type": "keyword", + "ignore_above": 1024 + }, + "fsgid": { + "type": "keyword", + "ignore_above": 1024 + }, + "fsuid": { + "type": "keyword", + "ignore_above": 1024 + }, + "gid": { + "type": "keyword", + "ignore_above": 1024 + }, + "name_map": { + "properties": { + "auid": { + "type": "keyword", + "ignore_above": 1024 + }, + "egid": { + "type": "keyword", + "ignore_above": 1024 + }, + "euid": { + "type": "keyword", + "ignore_above": 1024 + }, + "fsgid": { + "type": "keyword", + "ignore_above": 1024 + }, + "fsuid": { + "type": "keyword", + "ignore_above": 1024 + }, + "gid": { + "type": "keyword", + "ignore_above": 1024 + }, + "sgid": { + "type": "keyword", + "ignore_above": 1024 + }, + "suid": { + "type": "keyword", + "ignore_above": 1024 + }, + "uid": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "selinux": { + "properties": { + "category": { + "type": "keyword", + "ignore_above": 1024 + }, + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "level": { + "type": "keyword", + "ignore_above": 1024 + }, + "role": { + "type": "keyword", + "ignore_above": 1024 + }, + "user": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "sgid": { + "type": "keyword", + "ignore_above": 1024 + }, + "suid": { + "type": "keyword", + "ignore_above": 1024 + }, + "uid": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "aliases": {} + } +} \ No newline at end of file diff --git a/x-pack/test/functional/es_archives/filebeat/kpi_hosts/data.json b/x-pack/test/functional/es_archives/filebeat/kpi_hosts/data.json new file mode 100644 index 000000000000..847158e90133 --- /dev/null +++ b/x-pack/test/functional/es_archives/filebeat/kpi_hosts/data.json @@ -0,0 +1,133 @@ +{ + "type": "doc", + "value": { + "id": "Lw4l02gBqd-n62Sw_lxm", + "index": "filebeat-7.0.0-iot-2019.06", + "source": { + "@timestamp": "2019-02-09T16:45:06.331Z", + "@version": "1", + "agent": { + "ephemeral_id": "97412477-f94f-4f25-a21f-4103798683db", + "hostname": "raspberrypi", + "id": "4d3ea604-27e5-4ec7-ab64-44f82285d776", + "type": "filebeat", + "version": "7.0.0" + }, + "destination": { + "domain": "s3-iad-2.cf.dash.row.aiv-cdn.net", + "ip": "10.100.7.196", + "port": 57854 + }, + "ecs": { + "version": "1.0.0-beta2" + }, + "event": { + "dataset": "suricata.eve", + "end": "2019-02-09T16:45:06.331Z", + "kind": "event", + "module": "suricata", + "type": "fileinfo" + }, + "file": { + "path": "/dm/2$XTMWANo0Q2RZKlH-95UoAahZrOg~/8cdf/ad98/e000/4b0d-8f72-8faf9aa1a35a/c3d5b471-4e36-45e0-8ca7-d789366f3b31_audio_13.mp4", + "size": 48277 + }, + "fileset": { + "name": "eve" + }, + "flow": { + "locality": "public" + }, + "host": { + "architecture": "armv7l", + "containerized": false, + "hostname": "raspberrypi", + "id": "b19a781f683541a7a25ee345133aa399", + "name": "raspberrypi", + "os": { + "codename": "stretch", + "family": "", + "kernel": "4.14.50-v7+", + "name": "Raspbian GNU/Linux", + "platform": "raspbian", + "version": "9 (stretch)" + } + }, + "http": { + "request": { + "method": "get" + }, + "response": { + "body": { + "bytes": 48277 + }, + "status_code": 206 + } + }, + "input": { + "type": "log" + }, + "labels": { + "pipeline": "filebeat-7.0.0-suricata-eve-pipeline" + }, + "log": { + "file": { + "path": "/var/log/suricata/eve.json" + }, + "offset": 1734115622 + }, + "network": { + "name": "iot", + "protocol": "http", + "transport": "tcp" + }, + "service": { + "type": "suricata" + }, + "source": { + "as": { + "num": 16509, + "org": "Amazon.com, Inc." + }, + "domain": "server-54-239-220-184.ewr50.r.cloudfront.net", + "geo": { + "city_name": "Seattle", + "continent_name": "North America", + "country_iso_code": "US", + "location": { + "lat": 47.6103, + "lon": -122.3341 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "54.239.220.184", + "port": 80 + }, + "suricata": { + "eve": { + "fileinfo": { + "state": "CLOSED", + "stored": false, + "tx_id": 102 + }, + "flow_id": 311011499414922, + "http": { + "http_content_type": "video/mp4", + "protocol": "HTTP/1.1" + }, + "in_iface": "eth0" + } + }, + "tags": [ + "suricata" + ], + "url": { + "domain": "s3-iad-2.cf.dash.row.aiv-cdn.net", + "original": "/dm/2$XTMWANo0Q2RZKlH-95UoAahZrOg~/8cdf/ad98/e000/4b0d-8f72-8faf9aa1a35a/c3d5b471-4e36-45e0-8ca7-d789366f3b31_audio_13.mp4", + "path": "/dm/2$XTMWANo0Q2RZKlH-95UoAahZrOg~/8cdf/ad98/e000/4b0d-8f72-8faf9aa1a35a/c3d5b471-4e36-45e0-8ca7-d789366f3b31_audio_13.mp4" + } + }, + "type": "_doc" + } +} diff --git a/x-pack/test/functional/es_archives/filebeat/kpi_hosts/mappings.json b/x-pack/test/functional/es_archives/filebeat/kpi_hosts/mappings.json new file mode 100644 index 000000000000..1059fa49582f --- /dev/null +++ b/x-pack/test/functional/es_archives/filebeat/kpi_hosts/mappings.json @@ -0,0 +1,5940 @@ +{ + "type": "index", + "value": { + "aliases": { + }, + "index": "filebeat-7.0.0-iot-2019.06", + "mappings": { + "_meta": { + "beat": "filebeat", + "version": "7.0.0" + }, + "date_detection": false, + "dynamic_templates": [ + { + "container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "container.labels.*" + } + }, + { + "fields": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "fields.*" + } + }, + { + "docker.container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "docker.container.labels.*" + } + }, + { + "kibana.log.meta": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "kibana.log.meta.*" + } + }, + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "@version": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "apache": { + "properties": { + "access": { + "properties": { + "ssl": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "error": { + "properties": { + "module": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "apache2": { + "properties": { + "access": { + "properties": { + "geoip": { + "type": "object" + }, + "user_agent": { + "type": "object" + } + } + }, + "error": { + "type": "object" + } + } + }, + "auditd": { + "properties": { + "log": { + "properties": { + "a0": { + "ignore_above": 1024, + "type": "keyword" + }, + "addr": { + "type": "ip" + }, + "geoip": { + "type": "object" + }, + "item": { + "ignore_above": 1024, + "type": "keyword" + }, + "items": { + "ignore_above": 1024, + "type": "keyword" + }, + "laddr": { + "type": "ip" + }, + "lport": { + "type": "long" + }, + "new_auid": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_ses": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_auid": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_ses": { + "ignore_above": 1024, + "type": "keyword" + }, + "rport": { + "type": "long" + }, + "sequence": { + "type": "long" + }, + "tty": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "certificate": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cisco": { + "properties": { + "access_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "num": { + "type": "long" + }, + "org": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain_top1m_rank": { + "type": "long" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + } + } + }, + "docker": { + "properties": { + "container": { + "properties": { + "labels": { + "type": "object" + } + } + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elasticsearch": { + "properties": { + "audit": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "indices": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "params": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "component": { + "ignore_above": 1024, + "type": "keyword" + }, + "deprecation": { + "type": "object" + }, + "gc": { + "properties": { + "heap": { + "properties": { + "size_kb": { + "type": "long" + }, + "used_kb": { + "type": "long" + } + } + }, + "jvm_runtime_sec": { + "type": "float" + }, + "old_gen": { + "properties": { + "size_kb": { + "type": "long" + }, + "used_kb": { + "type": "long" + } + } + }, + "phase": { + "properties": { + "class_unload_time_sec": { + "type": "float" + }, + "cpu_time": { + "properties": { + "real_sec": { + "type": "float" + }, + "sys_sec": { + "type": "float" + }, + "user_sec": { + "type": "float" + } + } + }, + "duration_sec": { + "type": "float" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parallel_rescan_time_sec": { + "type": "float" + }, + "scrub_string_table_time_sec": { + "type": "float" + }, + "scrub_symbol_table_time_sec": { + "type": "float" + }, + "weak_refs_processing_time_sec": { + "type": "float" + } + } + }, + "stopping_threads_time_sec": { + "type": "float" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threads_total_stop_time_sec": { + "type": "float" + }, + "young_gen": { + "properties": { + "size_kb": { + "type": "long" + }, + "used_kb": { + "type": "long" + } + } + } + } + }, + "index": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "node": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "gc": { + "properties": { + "collection_duration": { + "properties": { + "ms": { + "type": "float" + } + } + }, + "observation_duration": { + "properties": { + "ms": { + "type": "float" + } + } + }, + "overhead_seq": { + "type": "long" + }, + "young": { + "properties": { + "one": { + "type": "long" + }, + "two": { + "type": "long" + } + } + } + } + }, + "stacktrace": { + "ignore_above": 1024, + "index": false, + "type": "keyword" + } + } + }, + "shard": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "extra_source": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "routing": { + "ignore_above": 1024, + "type": "keyword" + }, + "search_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_query": { + "ignore_above": 1024, + "type": "keyword" + }, + "stats": { + "ignore_above": 1024, + "type": "keyword" + }, + "took": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_hits": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_shards": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "types": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fields": { + "type": "object" + }, + "file": { + "properties": { + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fileset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flow": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "haproxy": { + "properties": { + "backend_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "backend_queue": { + "type": "long" + }, + "bind_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes_read": { + "type": "long" + }, + "client": { + "type": "object" + }, + "connection_wait_time_ms": { + "type": "long" + }, + "connections": { + "properties": { + "active": { + "type": "long" + }, + "backend": { + "type": "long" + }, + "frontend": { + "type": "long" + }, + "retries": { + "type": "long" + }, + "server": { + "type": "long" + } + } + }, + "destination": { + "type": "object" + }, + "error_message": { + "norms": false, + "type": "text" + }, + "frontend_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "geoip": { + "type": "object" + }, + "http": { + "properties": { + "request": { + "properties": { + "captured_cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "captured_headers": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_request_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_wait_ms": { + "type": "long" + }, + "time_wait_without_data_ms": { + "type": "long" + } + } + }, + "response": { + "properties": { + "captured_cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "captured_headers": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_queue": { + "type": "long" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp": { + "properties": { + "connection_waiting_time_ms": { + "type": "long" + } + } + }, + "termination_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_backend_connect": { + "type": "long" + }, + "time_queue": { + "type": "long" + }, + "total_waiting_time_ms": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "containerized": { + "type": "boolean" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "icinga": { + "properties": { + "debug": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "main": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "startup": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "icmp": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "iis": { + "properties": { + "access": { + "properties": { + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "geoip": { + "type": "object" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "site_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_status": { + "type": "long" + }, + "user_agent": { + "type": "object" + }, + "win32_status": { + "type": "long" + } + } + }, + "error": { + "properties": { + "geoip": { + "type": "object" + }, + "queue_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason_phrase": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "iptables": { + "properties": { + "ether_type": { + "type": "long" + }, + "flow_label": { + "type": "long" + }, + "fragment_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment_offset": { + "type": "long" + }, + "icmp": { + "properties": { + "code": { + "type": "long" + }, + "id": { + "type": "long" + }, + "parameter": { + "type": "long" + }, + "redirect": { + "type": "ip" + }, + "seq": { + "type": "long" + }, + "type": { + "type": "long" + } + } + }, + "id": { + "type": "long" + }, + "incomplete_bytes": { + "type": "long" + }, + "input_device": { + "ignore_above": 1024, + "type": "keyword" + }, + "length": { + "type": "long" + }, + "output_device": { + "ignore_above": 1024, + "type": "keyword" + }, + "precedence_bits": { + "type": "short" + }, + "tcp": { + "properties": { + "ack": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "reserved_bits": { + "type": "short" + }, + "seq": { + "type": "long" + }, + "window": { + "type": "long" + } + } + }, + "tos": { + "type": "long" + }, + "ttl": { + "type": "long" + }, + "ubiquiti": { + "properties": { + "input_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "output_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_set": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "udp": { + "properties": { + "length": { + "type": "long" + } + } + } + } + }, + "kafka": { + "properties": { + "log": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "component": { + "ignore_above": 1024, + "type": "keyword" + }, + "trace": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + } + } + } + } + } + } + }, + "kibana": { + "properties": { + "log": { + "properties": { + "meta": { + "type": "object" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "kubernetes": { + "properties": { + "annotations": { + "type": "object" + }, + "container": { + "properties": { + "image": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pod": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "labels": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "pipeline": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "logstash": { + "properties": { + "log": { + "properties": { + "log_event": { + "type": "object" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "event": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_params": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_params_object": { + "type": "object" + }, + "plugin_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "took_in_millis": { + "type": "long" + } + } + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "mongodb": { + "properties": { + "log": { + "properties": { + "component": { + "ignore_above": 1024, + "type": "keyword" + }, + "context": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "mysql": { + "properties": { + "error": { + "type": "object" + }, + "slowlog": { + "properties": { + "bytes_sent": { + "type": "long" + }, + "current_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "filesort": { + "type": "boolean" + }, + "filesort_on_disk": { + "type": "boolean" + }, + "full_join": { + "type": "boolean" + }, + "full_scan": { + "type": "boolean" + }, + "innodb": { + "properties": { + "io_r_bytes": { + "type": "long" + }, + "io_r_ops": { + "type": "long" + }, + "io_r_wait": { + "properties": { + "sec": { + "type": "long" + } + } + }, + "pages_distinct": { + "type": "long" + }, + "queue_wait": { + "properties": { + "sec": { + "type": "long" + } + } + }, + "rec_lock_wait": { + "properties": { + "sec": { + "type": "long" + } + } + }, + "trx_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "killed": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_errno": { + "ignore_above": 1024, + "type": "keyword" + }, + "lock_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "log_slow_rate_limit": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_slow_rate_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "merge_passes": { + "type": "long" + }, + "priority_queue": { + "type": "boolean" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "query_cache_hit": { + "type": "boolean" + }, + "rows_affected": { + "type": "long" + }, + "rows_examined": { + "type": "long" + }, + "rows_sent": { + "type": "long" + }, + "schema": { + "ignore_above": 1024, + "type": "keyword" + }, + "tmp_disk_tables": { + "type": "long" + }, + "tmp_table": { + "type": "boolean" + }, + "tmp_table_on_disk": { + "type": "boolean" + }, + "tmp_table_sizes": { + "type": "long" + }, + "tmp_tables": { + "type": "long" + } + } + }, + "thread_id": { + "type": "long" + } + } + }, + "netflow": { + "properties": { + "absolute_error": { + "type": "double" + }, + "address_pool_high_threshold": { + "type": "long" + }, + "address_pool_low_threshold": { + "type": "long" + }, + "address_port_mapping_high_threshold": { + "type": "long" + }, + "address_port_mapping_low_threshold": { + "type": "long" + }, + "address_port_mapping_per_user_high_threshold": { + "type": "long" + }, + "anonymization_flags": { + "type": "long" + }, + "anonymization_technique": { + "type": "long" + }, + "application_category_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_group_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_id": { + "type": "short" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_sub_category_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "bgp_destination_as_number": { + "type": "long" + }, + "bgp_next_adjacent_as_number": { + "type": "long" + }, + "bgp_next_hop_ipv4_address": { + "type": "ip" + }, + "bgp_next_hop_ipv6_address": { + "type": "ip" + }, + "bgp_prev_adjacent_as_number": { + "type": "long" + }, + "bgp_source_as_number": { + "type": "long" + }, + "bgp_validity_state": { + "type": "short" + }, + "biflow_direction": { + "type": "short" + }, + "class_id": { + "type": "short" + }, + "class_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification_engine_id": { + "type": "short" + }, + "collection_time_milliseconds": { + "type": "date" + }, + "collector_certificate": { + "type": "short" + }, + "collector_ipv4_address": { + "type": "ip" + }, + "collector_ipv6_address": { + "type": "ip" + }, + "collector_transport_port": { + "type": "long" + }, + "common_properties_id": { + "type": "long" + }, + "confidence_level": { + "type": "double" + }, + "connection_sum_duration_seconds": { + "type": "long" + }, + "connection_transaction_id": { + "type": "long" + }, + "data_link_frame_section": { + "type": "short" + }, + "data_link_frame_size": { + "type": "long" + }, + "data_link_frame_type": { + "type": "long" + }, + "data_records_reliability": { + "type": "boolean" + }, + "delta_flow_count": { + "type": "long" + }, + "destination_ipv4_address": { + "type": "ip" + }, + "destination_ipv4_prefix": { + "type": "ip" + }, + "destination_ipv4_prefix_length": { + "type": "short" + }, + "destination_ipv6_address": { + "type": "ip" + }, + "destination_ipv6_prefix": { + "type": "ip" + }, + "destination_ipv6_prefix_length": { + "type": "short" + }, + "destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_transport_port": { + "type": "long" + }, + "digest_hash_value": { + "type": "long" + }, + "distinct_count_of_destinatio_nipa_ddress": { + "type": "long" + }, + "distinct_count_of_destination_ipv4_address": { + "type": "long" + }, + "distinct_count_of_destination_ipv6_address": { + "type": "long" + }, + "distinct_count_of_sourc_eipa_ddress": { + "type": "long" + }, + "distinct_count_of_source_ipv4_address": { + "type": "long" + }, + "distinct_count_of_source_ipv6_address": { + "type": "long" + }, + "dot1q_customer_dei": { + "type": "boolean" + }, + "dot1q_customer_destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "dot1q_customer_priority": { + "type": "short" + }, + "dot1q_customer_source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "dot1q_customer_vlan_id": { + "type": "long" + }, + "dot1q_dei": { + "type": "boolean" + }, + "dot1q_priority": { + "type": "short" + }, + "dot1q_service_instance_id": { + "type": "long" + }, + "dot1q_service_instance_priority": { + "type": "short" + }, + "dot1q_service_instance_tag": { + "type": "short" + }, + "dot1q_vlan_id": { + "type": "long" + }, + "dropped_layer2_octet_delta_count": { + "type": "long" + }, + "dropped_layer2_octet_total_count": { + "type": "long" + }, + "dropped_octet_delta_count": { + "type": "long" + }, + "dropped_octet_total_count": { + "type": "long" + }, + "dropped_packet_delta_count": { + "type": "long" + }, + "dropped_packet_total_count": { + "type": "long" + }, + "dst_traffic_index": { + "type": "long" + }, + "egress_broadcast_packet_total_count": { + "type": "long" + }, + "egress_interface": { + "type": "long" + }, + "egress_interface_type": { + "type": "long" + }, + "egress_physical_interface": { + "type": "long" + }, + "egress_unicast_packet_total_count": { + "type": "long" + }, + "egress_vrfid": { + "type": "long" + }, + "encrypted_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "engine_id": { + "type": "short" + }, + "engine_type": { + "type": "short" + }, + "ethernet_header_length": { + "type": "short" + }, + "ethernet_payload_length": { + "type": "long" + }, + "ethernet_total_length": { + "type": "long" + }, + "ethernet_type": { + "type": "long" + }, + "export_interface": { + "type": "long" + }, + "export_protocol_version": { + "type": "short" + }, + "export_sctp_stream_id": { + "type": "long" + }, + "export_transport_protocol": { + "type": "short" + }, + "exported_flow_record_total_count": { + "type": "long" + }, + "exported_message_total_count": { + "type": "long" + }, + "exported_octet_total_count": { + "type": "long" + }, + "exporter": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_id": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "uptime_millis": { + "type": "long" + }, + "version": { + "type": "long" + } + } + }, + "exporter_certificate": { + "type": "short" + }, + "exporter_ipv4_address": { + "type": "ip" + }, + "exporter_ipv6_address": { + "type": "ip" + }, + "exporter_transport_port": { + "type": "long" + }, + "exporting_process_id": { + "type": "long" + }, + "external_address_realm": { + "type": "short" + }, + "firewall_event": { + "type": "short" + }, + "flags_and_sampler_id": { + "type": "long" + }, + "flow_active_timeout": { + "type": "long" + }, + "flow_direction": { + "type": "short" + }, + "flow_duration_microseconds": { + "type": "long" + }, + "flow_duration_milliseconds": { + "type": "long" + }, + "flow_end_delta_microseconds": { + "type": "long" + }, + "flow_end_microseconds": { + "type": "date" + }, + "flow_end_milliseconds": { + "type": "date" + }, + "flow_end_nanoseconds": { + "type": "date" + }, + "flow_end_reason": { + "type": "short" + }, + "flow_end_seconds": { + "type": "date" + }, + "flow_end_sys_up_time": { + "type": "long" + }, + "flow_id": { + "type": "long" + }, + "flow_idle_timeout": { + "type": "long" + }, + "flow_key_indicator": { + "type": "long" + }, + "flow_label_ipv6": { + "type": "long" + }, + "flow_sampling_time_interval": { + "type": "long" + }, + "flow_sampling_time_spacing": { + "type": "long" + }, + "flow_selected_flow_delta_count": { + "type": "long" + }, + "flow_selected_octet_delta_count": { + "type": "long" + }, + "flow_selected_packet_delta_count": { + "type": "long" + }, + "flow_selector_algorithm": { + "type": "long" + }, + "flow_start_delta_microseconds": { + "type": "long" + }, + "flow_start_microseconds": { + "type": "date" + }, + "flow_start_milliseconds": { + "type": "date" + }, + "flow_start_nanoseconds": { + "type": "date" + }, + "flow_start_seconds": { + "type": "date" + }, + "flow_start_sys_up_time": { + "type": "long" + }, + "forwarding_status": { + "type": "short" + }, + "fragment_flags": { + "type": "short" + }, + "fragment_identification": { + "type": "long" + }, + "fragment_offset": { + "type": "long" + }, + "global_address_mapping_high_threshold": { + "type": "long" + }, + "gre_key": { + "type": "long" + }, + "hash_digest_output": { + "type": "boolean" + }, + "hash_flow_domain": { + "type": "long" + }, + "hash_initialiser_value": { + "type": "long" + }, + "hash_ipp_ayload_offset": { + "type": "long" + }, + "hash_ipp_ayload_size": { + "type": "long" + }, + "hash_output_range_max": { + "type": "long" + }, + "hash_output_range_min": { + "type": "long" + }, + "hash_selected_range_max": { + "type": "long" + }, + "hash_selected_range_min": { + "type": "long" + }, + "http_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_message_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_reason_phrase": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_status_code": { + "type": "long" + }, + "http_user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code_ipv4": { + "type": "short" + }, + "icmp_code_ipv6": { + "type": "short" + }, + "icmp_type_code_ipv4": { + "type": "long" + }, + "icmp_type_code_ipv6": { + "type": "long" + }, + "icmp_type_ipv4": { + "type": "short" + }, + "icmp_type_ipv6": { + "type": "short" + }, + "igmp_type": { + "type": "short" + }, + "ignored_data_record_total_count": { + "type": "long" + }, + "ignored_layer2_frame_total_count": { + "type": "long" + }, + "ignored_layer2_octet_total_count": { + "type": "long" + }, + "ignored_octet_total_count": { + "type": "long" + }, + "ignored_packet_total_count": { + "type": "long" + }, + "information_element_data_type": { + "type": "short" + }, + "information_element_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "information_element_id": { + "type": "long" + }, + "information_element_index": { + "type": "long" + }, + "information_element_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "information_element_range_begin": { + "type": "long" + }, + "information_element_range_end": { + "type": "long" + }, + "information_element_semantics": { + "type": "short" + }, + "information_element_units": { + "type": "long" + }, + "ingress_broadcast_packet_total_count": { + "type": "long" + }, + "ingress_interface": { + "type": "long" + }, + "ingress_interface_type": { + "type": "long" + }, + "ingress_multicast_packet_total_count": { + "type": "long" + }, + "ingress_physical_interface": { + "type": "long" + }, + "ingress_unicast_packet_total_count": { + "type": "long" + }, + "ingress_vrfid": { + "type": "long" + }, + "initiator_octets": { + "type": "long" + }, + "initiator_packets": { + "type": "long" + }, + "interface_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "intermediate_process_id": { + "type": "long" + }, + "internal_address_realm": { + "type": "short" + }, + "ip_class_of_service": { + "type": "short" + }, + "ip_diff_serv_code_point": { + "type": "short" + }, + "ip_header_length": { + "type": "short" + }, + "ip_header_packet_section": { + "type": "short" + }, + "ip_next_hop_ipv4_address": { + "type": "ip" + }, + "ip_next_hop_ipv6_address": { + "type": "ip" + }, + "ip_payload_length": { + "type": "long" + }, + "ip_payload_packet_section": { + "type": "short" + }, + "ip_precedence": { + "type": "short" + }, + "ip_sec_spi": { + "type": "long" + }, + "ip_total_length": { + "type": "long" + }, + "ip_ttl": { + "type": "short" + }, + "ip_version": { + "type": "short" + }, + "ipv4_ihl": { + "type": "short" + }, + "ipv4_options": { + "type": "long" + }, + "ipv4_router_sc": { + "type": "ip" + }, + "ipv6_extension_headers": { + "type": "long" + }, + "is_multicast": { + "type": "short" + }, + "layer2_frame_delta_count": { + "type": "long" + }, + "layer2_frame_total_count": { + "type": "long" + }, + "layer2_octet_delta_count": { + "type": "long" + }, + "layer2_octet_delta_sum_of_squares": { + "type": "long" + }, + "layer2_octet_total_count": { + "type": "long" + }, + "layer2_octet_total_sum_of_squares": { + "type": "long" + }, + "layer2_segment_id": { + "type": "long" + }, + "layer2packet_section_data": { + "type": "short" + }, + "layer2packet_section_offset": { + "type": "long" + }, + "layer2packet_section_size": { + "type": "long" + }, + "line_card_id": { + "type": "long" + }, + "lower_cli_imit": { + "type": "double" + }, + "max_bieb_ntries": { + "type": "long" + }, + "max_entries_per_user": { + "type": "long" + }, + "max_export_seconds": { + "type": "date" + }, + "max_flow_end_microseconds": { + "type": "date" + }, + "max_flow_end_milliseconds": { + "type": "date" + }, + "max_flow_end_nanoseconds": { + "type": "date" + }, + "max_flow_end_seconds": { + "type": "date" + }, + "max_fragments_pending_reassembly": { + "type": "long" + }, + "max_session_entries": { + "type": "long" + }, + "max_subscribers": { + "type": "long" + }, + "maximum_ip_total_length": { + "type": "long" + }, + "maximum_layer2_total_length": { + "type": "long" + }, + "maximum_ttl": { + "type": "short" + }, + "message_md5_checksum": { + "type": "short" + }, + "message_scope": { + "type": "short" + }, + "metering_process_id": { + "type": "long" + }, + "metro_evc_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "metro_evc_type": { + "type": "short" + }, + "mib_capture_time_semantics": { + "type": "short" + }, + "mib_context_engine_id": { + "type": "short" + }, + "mib_context_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_index_indicator": { + "type": "long" + }, + "mib_module_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_identifier": { + "type": "short" + }, + "mib_object_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_syntax": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_value_bits": { + "type": "short" + }, + "mib_object_value_counter": { + "type": "long" + }, + "mib_object_value_gauge": { + "type": "long" + }, + "mib_object_value_integer": { + "type": "long" + }, + "mib_object_value_octet_string": { + "type": "short" + }, + "mib_object_value_oid": { + "type": "short" + }, + "mib_object_value_time_ticks": { + "type": "long" + }, + "mib_object_value_unsigned": { + "type": "long" + }, + "mib_object_valuei_pa_ddress": { + "type": "ip" + }, + "mib_sub_identifier": { + "type": "long" + }, + "min_export_seconds": { + "type": "date" + }, + "min_flow_start_microseconds": { + "type": "date" + }, + "min_flow_start_milliseconds": { + "type": "date" + }, + "min_flow_start_nanoseconds": { + "type": "date" + }, + "min_flow_start_seconds": { + "type": "date" + }, + "minimum_ip_total_length": { + "type": "long" + }, + "minimum_layer2_total_length": { + "type": "long" + }, + "minimum_ttl": { + "type": "short" + }, + "mobile_imsi": { + "ignore_above": 1024, + "type": "keyword" + }, + "mobile_msisdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitoring_interval_end_milli_seconds": { + "type": "date" + }, + "monitoring_interval_start_milli_seconds": { + "type": "date" + }, + "mpls_label_stack_depth": { + "type": "long" + }, + "mpls_label_stack_length": { + "type": "long" + }, + "mpls_label_stack_section": { + "type": "short" + }, + "mpls_label_stack_section10": { + "type": "short" + }, + "mpls_label_stack_section2": { + "type": "short" + }, + "mpls_label_stack_section3": { + "type": "short" + }, + "mpls_label_stack_section4": { + "type": "short" + }, + "mpls_label_stack_section5": { + "type": "short" + }, + "mpls_label_stack_section6": { + "type": "short" + }, + "mpls_label_stack_section7": { + "type": "short" + }, + "mpls_label_stack_section8": { + "type": "short" + }, + "mpls_label_stack_section9": { + "type": "short" + }, + "mpls_payload_length": { + "type": "long" + }, + "mpls_payload_packet_section": { + "type": "short" + }, + "mpls_top_label_exp": { + "type": "short" + }, + "mpls_top_label_ipv4_address": { + "type": "ip" + }, + "mpls_top_label_ipv6_address": { + "type": "ip" + }, + "mpls_top_label_prefix_length": { + "type": "short" + }, + "mpls_top_label_stack_section": { + "type": "short" + }, + "mpls_top_label_ttl": { + "type": "short" + }, + "mpls_top_label_type": { + "type": "short" + }, + "mpls_vpn_route_distinguisher": { + "type": "short" + }, + "multicast_replication_factor": { + "type": "long" + }, + "nat_event": { + "type": "short" + }, + "nat_instance_id": { + "type": "long" + }, + "nat_originating_address_realm": { + "type": "short" + }, + "nat_pool_id": { + "type": "long" + }, + "nat_pool_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_quota_exceeded_event": { + "type": "long" + }, + "nat_threshold_event": { + "type": "long" + }, + "nat_type": { + "type": "short" + }, + "new_connection_delta_count": { + "type": "long" + }, + "next_header_ipv6": { + "type": "short" + }, + "not_sent_flow_total_count": { + "type": "long" + }, + "not_sent_layer2_octet_total_count": { + "type": "long" + }, + "not_sent_octet_total_count": { + "type": "long" + }, + "not_sent_packet_total_count": { + "type": "long" + }, + "observation_domain_id": { + "type": "long" + }, + "observation_domain_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observation_point_id": { + "type": "long" + }, + "observation_point_type": { + "type": "short" + }, + "observation_time_microseconds": { + "type": "date" + }, + "observation_time_milliseconds": { + "type": "date" + }, + "observation_time_nanoseconds": { + "type": "date" + }, + "observation_time_seconds": { + "type": "date" + }, + "observed_flow_total_count": { + "type": "long" + }, + "octet_delta_count": { + "type": "long" + }, + "octet_delta_sum_of_squares": { + "type": "long" + }, + "octet_total_count": { + "type": "long" + }, + "octet_total_sum_of_squares": { + "type": "long" + }, + "opaque_octets": { + "type": "short" + }, + "original_exporter_ipv4_address": { + "type": "ip" + }, + "original_exporter_ipv6_address": { + "type": "ip" + }, + "original_flows_completed": { + "type": "long" + }, + "original_flows_initiated": { + "type": "long" + }, + "original_flows_present": { + "type": "long" + }, + "original_observation_domain_id": { + "type": "long" + }, + "p2p_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_delta_count": { + "type": "long" + }, + "packet_total_count": { + "type": "long" + }, + "padding_octets": { + "type": "short" + }, + "payload_length_ipv6": { + "type": "long" + }, + "port_id": { + "type": "long" + }, + "port_range_end": { + "type": "long" + }, + "port_range_num_ports": { + "type": "long" + }, + "port_range_start": { + "type": "long" + }, + "port_range_step_size": { + "type": "long" + }, + "post_destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "post_dot1q_customer_vlan_id": { + "type": "long" + }, + "post_dot1q_vlan_id": { + "type": "long" + }, + "post_ip_class_of_service": { + "type": "short" + }, + "post_ip_diff_serv_code_point": { + "type": "short" + }, + "post_ip_precedence": { + "type": "short" + }, + "post_layer2_octet_delta_count": { + "type": "long" + }, + "post_layer2_octet_total_count": { + "type": "long" + }, + "post_mcast_layer2_octet_delta_count": { + "type": "long" + }, + "post_mcast_layer2_octet_total_count": { + "type": "long" + }, + "post_mcast_octet_delta_count": { + "type": "long" + }, + "post_mcast_octet_total_count": { + "type": "long" + }, + "post_mcast_packet_delta_count": { + "type": "long" + }, + "post_mcast_packet_total_count": { + "type": "long" + }, + "post_mpls_top_label_exp": { + "type": "short" + }, + "post_nadt_estination_ipv4_address": { + "type": "ip" + }, + "post_nadt_estination_ipv6_address": { + "type": "ip" + }, + "post_napdt_estination_transport_port": { + "type": "long" + }, + "post_napst_ource_transport_port": { + "type": "long" + }, + "post_nast_ource_ipv4_address": { + "type": "ip" + }, + "post_nast_ource_ipv6_address": { + "type": "ip" + }, + "post_octet_delta_count": { + "type": "long" + }, + "post_octet_total_count": { + "type": "long" + }, + "post_packet_delta_count": { + "type": "long" + }, + "post_packet_total_count": { + "type": "long" + }, + "post_source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "post_vlan_id": { + "type": "long" + }, + "private_enterprise_number": { + "type": "long" + }, + "protocol_identifier": { + "type": "short" + }, + "pseudo_wire_control_word": { + "type": "long" + }, + "pseudo_wire_destination_ipv4_address": { + "type": "ip" + }, + "pseudo_wire_id": { + "type": "long" + }, + "pseudo_wire_type": { + "type": "long" + }, + "relative_error": { + "type": "double" + }, + "responder_octets": { + "type": "long" + }, + "responder_packets": { + "type": "long" + }, + "rfc3550_jitter_microseconds": { + "type": "long" + }, + "rfc3550_jitter_milliseconds": { + "type": "long" + }, + "rfc3550_jitter_nanoseconds": { + "type": "long" + }, + "rtp_sequence_number": { + "type": "long" + }, + "sampler_id": { + "type": "short" + }, + "sampler_mode": { + "type": "short" + }, + "sampler_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sampler_random_interval": { + "type": "long" + }, + "sampling_algorithm": { + "type": "short" + }, + "sampling_flow_interval": { + "type": "long" + }, + "sampling_flow_spacing": { + "type": "long" + }, + "sampling_interval": { + "type": "long" + }, + "sampling_packet_interval": { + "type": "long" + }, + "sampling_packet_space": { + "type": "long" + }, + "sampling_population": { + "type": "long" + }, + "sampling_probability": { + "type": "double" + }, + "sampling_size": { + "type": "long" + }, + "sampling_time_interval": { + "type": "long" + }, + "sampling_time_space": { + "type": "long" + }, + "section_exported_octets": { + "type": "long" + }, + "section_offset": { + "type": "long" + }, + "selection_sequence_id": { + "type": "long" + }, + "selector_algorithm": { + "type": "long" + }, + "selector_id": { + "type": "long" + }, + "selector_id_total_pkts_observed": { + "type": "long" + }, + "selector_id_total_pkts_selected": { + "type": "long" + }, + "selector_itd_otal_flows_observed": { + "type": "long" + }, + "selector_itd_otal_flows_selected": { + "type": "long" + }, + "selector_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_scope": { + "type": "short" + }, + "source_ipv4_address": { + "type": "ip" + }, + "source_ipv4_prefix": { + "type": "ip" + }, + "source_ipv4_prefix_length": { + "type": "short" + }, + "source_ipv6_address": { + "type": "ip" + }, + "source_ipv6_prefix": { + "type": "ip" + }, + "source_ipv6_prefix_length": { + "type": "short" + }, + "source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_transport_port": { + "type": "long" + }, + "source_transport_ports_limit": { + "type": "long" + }, + "src_traffic_index": { + "type": "long" + }, + "sta_ipv4_address": { + "type": "ip" + }, + "sta_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "system_init_time_milliseconds": { + "type": "date" + }, + "tcp_ack_total_count": { + "type": "long" + }, + "tcp_acknowledgement_number": { + "type": "long" + }, + "tcp_control_bits": { + "type": "long" + }, + "tcp_destination_port": { + "type": "long" + }, + "tcp_fin_total_count": { + "type": "long" + }, + "tcp_header_length": { + "type": "short" + }, + "tcp_options": { + "type": "long" + }, + "tcp_psh_total_count": { + "type": "long" + }, + "tcp_rst_total_count": { + "type": "long" + }, + "tcp_sequence_number": { + "type": "long" + }, + "tcp_source_port": { + "type": "long" + }, + "tcp_syn_total_count": { + "type": "long" + }, + "tcp_urg_total_count": { + "type": "long" + }, + "tcp_urgent_pointer": { + "type": "long" + }, + "tcp_window_scale": { + "type": "long" + }, + "tcp_window_size": { + "type": "long" + }, + "template_id": { + "type": "long" + }, + "total_length_ipv4": { + "type": "long" + }, + "transport_octet_delta_count": { + "type": "long" + }, + "transport_packet_delta_count": { + "type": "long" + }, + "tunnel_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "udp_destination_port": { + "type": "long" + }, + "udp_message_length": { + "type": "long" + }, + "udp_source_port": { + "type": "long" + }, + "upper_cli_imit": { + "type": "double" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "value_distribution_method": { + "type": "short" + }, + "virtual_station_interface_id": { + "type": "short" + }, + "virtual_station_interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_station_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_station_uuid": { + "type": "short" + }, + "vlan_id": { + "type": "long" + }, + "vpn_identifier": { + "type": "short" + }, + "vr_fname": { + "ignore_above": 1024, + "type": "keyword" + }, + "wlan_channel_id": { + "type": "short" + }, + "wlan_ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "wtp_mac_address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "nginx": { + "properties": { + "access": { + "properties": { + "geoip": { + "type": "object" + }, + "user_agent": { + "type": "object" + } + } + }, + "error": { + "properties": { + "connection_id": { + "type": "long" + } + } + } + } + }, + "observer": { + "properties": { + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "osquery": { + "properties": { + "result": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "calendar_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "unix_time": { + "type": "long" + } + } + } + } + }, + "postgresql": { + "properties": { + "log": { + "properties": { + "core_id": { + "type": "long" + }, + "database": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "program": { + "ignore_above": 1024, + "type": "keyword" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "redis": { + "properties": { + "log": { + "properties": { + "role": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "properties": { + "us": { + "type": "long" + } + } + }, + "id": { + "type": "long" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "related": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "santa": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "decision": { + "ignore_above": 1024, + "type": "keyword" + }, + "disk": { + "properties": { + "bsdname": { + "ignore_above": 1024, + "type": "keyword" + }, + "bus": { + "ignore_above": 1024, + "type": "keyword" + }, + "fs": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "volume": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + } + } + }, + "service": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "num": { + "type": "long" + }, + "org": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain_top1m_rank": { + "type": "long" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + } + } + }, + "stream": { + "ignore_above": 1024, + "type": "keyword" + }, + "suricata": { + "properties": { + "eve": { + "properties": { + "alert": { + "properties": { + "action": { + "path": "event.outcome", + "type": "alias" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "type": "long" + }, + "rev": { + "type": "long" + }, + "severity": { + "path": "event.severity", + "type": "alias" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_id": { + "type": "long" + } + } + }, + "app_proto": { + "path": "network.protocol", + "type": "alias" + }, + "app_proto_expected": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_orig": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_tc": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_ts": { + "ignore_above": 1024, + "type": "keyword" + }, + "dest_ip": { + "path": "destination.ip", + "type": "alias" + }, + "dest_port": { + "path": "destination.port", + "type": "alias" + }, + "dns": { + "properties": { + "id": { + "type": "long" + }, + "rcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "rrname": { + "ignore_above": 1024, + "type": "keyword" + }, + "rrtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "tx_id": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileinfo": { + "properties": { + "filename": { + "path": "file.path", + "type": "alias" + }, + "gaps": { + "type": "boolean" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "path": "file.size", + "type": "alias" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "stored": { + "type": "boolean" + }, + "tx_id": { + "type": "long" + } + } + }, + "flags": { + "type": "object" + }, + "flow": { + "properties": { + "age": { + "type": "long" + }, + "alerted": { + "type": "boolean" + }, + "bytes_toclient": { + "path": "destination.bytes", + "type": "alias" + }, + "bytes_toserver": { + "path": "source.bytes", + "type": "alias" + }, + "end": { + "type": "date" + }, + "pkts_toclient": { + "path": "destination.packets", + "type": "alias" + }, + "pkts_toserver": { + "path": "source.packets", + "type": "alias" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "start": { + "path": "event.start", + "type": "alias" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flow_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "http": { + "properties": { + "hostname": { + "path": "url.domain", + "type": "alias" + }, + "http_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_method": { + "path": "http.request.method", + "type": "alias" + }, + "http_refer": { + "path": "http.request.referrer", + "type": "alias" + }, + "http_user_agent": { + "path": "user_agent.original", + "type": "alias" + }, + "length": { + "path": "http.response.body.bytes", + "type": "alias" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "redirect": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "path": "http.response.status_code", + "type": "alias" + }, + "url": { + "path": "url.original", + "type": "alias" + } + } + }, + "icmp_code": { + "type": "long" + }, + "icmp_type": { + "type": "long" + }, + "in_iface": { + "ignore_above": 1024, + "type": "keyword" + }, + "pcap_cnt": { + "type": "long" + }, + "proto": { + "path": "network.transport", + "type": "alias" + }, + "smtp": { + "properties": { + "helo": { + "ignore_above": 1024, + "type": "keyword" + }, + "mail_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcpt_to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "src_ip": { + "path": "source.ip", + "type": "alias" + }, + "src_port": { + "path": "source.port", + "type": "alias" + }, + "ssh": { + "properties": { + "client": { + "properties": { + "proto_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "proto_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "stats": { + "properties": { + "app_layer": { + "properties": { + "flow": { + "properties": { + "dcerpc_tcp": { + "type": "long" + }, + "dcerpc_udp": { + "type": "long" + }, + "dns_tcp": { + "type": "long" + }, + "dns_udp": { + "type": "long" + }, + "failed_tcp": { + "type": "long" + }, + "failed_udp": { + "type": "long" + }, + "ftp": { + "type": "long" + }, + "http": { + "type": "long" + }, + "imap": { + "type": "long" + }, + "msn": { + "type": "long" + }, + "smb": { + "type": "long" + }, + "smtp": { + "type": "long" + }, + "ssh": { + "type": "long" + }, + "tls": { + "type": "long" + } + } + }, + "tx": { + "properties": { + "dcerpc_tcp": { + "type": "long" + }, + "dcerpc_udp": { + "type": "long" + }, + "dns_tcp": { + "type": "long" + }, + "dns_udp": { + "type": "long" + }, + "ftp": { + "type": "long" + }, + "http": { + "type": "long" + }, + "smb": { + "type": "long" + }, + "smtp": { + "type": "long" + }, + "ssh": { + "type": "long" + }, + "tls": { + "type": "long" + } + } + } + } + }, + "capture": { + "properties": { + "kernel_drops": { + "type": "long" + }, + "kernel_ifdrops": { + "type": "long" + }, + "kernel_packets": { + "type": "long" + } + } + }, + "decoder": { + "properties": { + "avg_pkt_size": { + "type": "long" + }, + "bytes": { + "type": "long" + }, + "dce": { + "properties": { + "pkt_too_small": { + "type": "long" + } + } + }, + "erspan": { + "type": "long" + }, + "ethernet": { + "type": "long" + }, + "gre": { + "type": "long" + }, + "icmpv4": { + "type": "long" + }, + "icmpv6": { + "type": "long" + }, + "ieee8021ah": { + "type": "long" + }, + "invalid": { + "type": "long" + }, + "ipraw": { + "properties": { + "invalid_ip_version": { + "type": "long" + } + } + }, + "ipv4": { + "type": "long" + }, + "ipv4_in_ipv6": { + "type": "long" + }, + "ipv6": { + "type": "long" + }, + "ipv6_in_ipv6": { + "type": "long" + }, + "ltnull": { + "properties": { + "pkt_too_small": { + "type": "long" + }, + "unsupported_type": { + "type": "long" + } + } + }, + "max_pkt_size": { + "type": "long" + }, + "mpls": { + "type": "long" + }, + "null": { + "type": "long" + }, + "pkts": { + "type": "long" + }, + "ppp": { + "type": "long" + }, + "pppoe": { + "type": "long" + }, + "raw": { + "type": "long" + }, + "sctp": { + "type": "long" + }, + "sll": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "teredo": { + "type": "long" + }, + "udp": { + "type": "long" + }, + "vlan": { + "type": "long" + }, + "vlan_qinq": { + "type": "long" + } + } + }, + "defrag": { + "properties": { + "ipv4": { + "properties": { + "fragments": { + "type": "long" + }, + "reassembled": { + "type": "long" + }, + "timeouts": { + "type": "long" + } + } + }, + "ipv6": { + "properties": { + "fragments": { + "type": "long" + }, + "reassembled": { + "type": "long" + }, + "timeouts": { + "type": "long" + } + } + }, + "max_frag_hits": { + "type": "long" + } + } + }, + "detect": { + "properties": { + "alert": { + "type": "long" + } + } + }, + "dns": { + "properties": { + "memcap_global": { + "type": "long" + }, + "memcap_state": { + "type": "long" + }, + "memuse": { + "type": "long" + } + } + }, + "file_store": { + "properties": { + "open_files": { + "type": "long" + } + } + }, + "flow": { + "properties": { + "emerg_mode_entered": { + "type": "long" + }, + "emerg_mode_over": { + "type": "long" + }, + "icmpv4": { + "type": "long" + }, + "icmpv6": { + "type": "long" + }, + "memcap": { + "type": "long" + }, + "memuse": { + "type": "long" + }, + "spare": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "tcp_reuse": { + "type": "long" + }, + "udp": { + "type": "long" + } + } + }, + "flow_mgr": { + "properties": { + "bypassed_pruned": { + "type": "long" + }, + "closed_pruned": { + "type": "long" + }, + "est_pruned": { + "type": "long" + }, + "flows_checked": { + "type": "long" + }, + "flows_notimeout": { + "type": "long" + }, + "flows_removed": { + "type": "long" + }, + "flows_timeout": { + "type": "long" + }, + "flows_timeout_inuse": { + "type": "long" + }, + "new_pruned": { + "type": "long" + }, + "rows_busy": { + "type": "long" + }, + "rows_checked": { + "type": "long" + }, + "rows_empty": { + "type": "long" + }, + "rows_maxlen": { + "type": "long" + }, + "rows_skipped": { + "type": "long" + } + } + }, + "http": { + "properties": { + "memcap": { + "type": "long" + }, + "memuse": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "insert_data_normal_fail": { + "type": "long" + }, + "insert_data_overlap_fail": { + "type": "long" + }, + "insert_list_fail": { + "type": "long" + }, + "invalid_checksum": { + "type": "long" + }, + "memuse": { + "type": "long" + }, + "no_flow": { + "type": "long" + }, + "overlap": { + "type": "long" + }, + "overlap_diff_data": { + "type": "long" + }, + "pseudo": { + "type": "long" + }, + "pseudo_failed": { + "type": "long" + }, + "reassembly_gap": { + "type": "long" + }, + "reassembly_memuse": { + "type": "long" + }, + "rst": { + "type": "long" + }, + "segment_memcap_drop": { + "type": "long" + }, + "sessions": { + "type": "long" + }, + "ssn_memcap_drop": { + "type": "long" + }, + "stream_depth_reached": { + "type": "long" + }, + "syn": { + "type": "long" + }, + "synack": { + "type": "long" + } + } + }, + "uptime": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "ack": { + "type": "boolean" + }, + "fin": { + "type": "boolean" + }, + "psh": { + "type": "boolean" + }, + "rst": { + "type": "boolean" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "syn": { + "type": "boolean" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_tc": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_ts": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "timestamp": { + "path": "@timestamp", + "type": "alias" + }, + "tls": { + "properties": { + "fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuerdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "notafter": { + "type": "date" + }, + "notbefore": { + "type": "date" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_resumed": { + "type": "boolean" + }, + "sni": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tx_id": { + "type": "long" + } + } + } + } + }, + "syslog": { + "properties": { + "facility": { + "type": "long" + }, + "facility_label": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "severity_label": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "properties": { + "auth": { + "properties": { + "groupadd": { + "type": "object" + }, + "ssh": { + "properties": { + "dropped_ip": { + "type": "ip" + }, + "geoip": { + "type": "object" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sudo": { + "properties": { + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "ignore_above": 1024, + "type": "keyword" + }, + "pwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "useradd": { + "properties": { + "home": { + "ignore_above": 1024, + "type": "keyword" + }, + "shell": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "syslog": { + "type": "object" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "traefik": { + "properties": { + "access": { + "properties": { + "backend_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "frontend_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "geoip": { + "properties": { + "city_name": { + "path": "source.geo.city_name", + "type": "alias" + }, + "continent_name": { + "path": "source.geo.continent_name", + "type": "alias" + }, + "country_iso_code": { + "path": "source.geo.country_iso_code", + "type": "alias" + }, + "location": { + "path": "source.geo.location", + "type": "alias" + }, + "region_iso_code": { + "path": "source.geo.region_iso_code", + "type": "alias" + }, + "region_name": { + "path": "source.geo.region_name", + "type": "alias" + } + } + }, + "request_count": { + "type": "long" + }, + "user_agent": { + "properties": { + "device": { + "path": "user_agent.device.name", + "type": "alias" + }, + "name": { + "path": "user_agent.name", + "type": "alias" + }, + "original": { + "path": "user_agent.original", + "type": "alias" + }, + "os": { + "path": "user_agent.os.full_name", + "type": "alias" + }, + "os_name": { + "path": "user_agent.os.name", + "type": "alias" + } + } + }, + "user_identifier": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "audit": { + "properties": { + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "effective": { + "properties": { + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "filesystem": { + "properties": { + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "properties": { + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved": { + "properties": { + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "terminal": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "major": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "major": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "patch": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zeek": { + "properties": { + "connection": { + "properties": { + "history": { + "ignore_above": 1024, + "type": "keyword" + }, + "local_orig": { + "type": "boolean" + }, + "local_resp": { + "type": "boolean" + }, + "missed_bytes": { + "type": "long" + }, + "orig_l2_addr": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dns": { + "properties": { + "AA": { + "type": "boolean" + }, + "RA": { + "type": "boolean" + }, + "RD": { + "type": "boolean" + }, + "TC": { + "type": "boolean" + }, + "TTLs": { + "type": "double" + }, + "answers": { + "ignore_above": 1024, + "type": "keyword" + }, + "qclass": { + "type": "long" + }, + "qclass_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "qtype": { + "type": "long" + }, + "qtype_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcode": { + "type": "long" + }, + "rcode_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rejected": { + "type": "boolean" + }, + "rtt": { + "type": "double" + }, + "saw_query": { + "type": "boolean" + }, + "saw_reply": { + "type": "boolean" + }, + "total_answers": { + "type": "long" + }, + "total_replies": { + "type": "long" + }, + "trans_id": { + "type": "long" + } + } + }, + "files": { + "properties": { + "analyzers": { + "ignore_above": 1024, + "type": "keyword" + }, + "depth": { + "type": "long" + }, + "duration": { + "type": "double" + }, + "entropy": { + "type": "double" + }, + "extracted": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_cutoff": { + "type": "boolean" + }, + "extracted_size": { + "type": "long" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_orig": { + "type": "boolean" + }, + "local_orig": { + "type": "boolean" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "missing_bytes": { + "type": "long" + }, + "overflow_bytes": { + "type": "long" + }, + "parent_fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "rx_host": { + "type": "ip" + }, + "seen_bytes": { + "type": "long" + }, + "session_ids": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "timedout": { + "type": "boolean" + }, + "total_bytes": { + "type": "long" + }, + "tx_host": { + "type": "ip" + } + } + }, + "http": { + "properties": { + "captured_password": { + "type": "boolean" + }, + "client_header_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "info_code": { + "type": "long" + }, + "info_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_filenames": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_mime_depth": { + "type": "long" + }, + "orig_mime_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxied": { + "ignore_above": 1024, + "type": "keyword" + }, + "range_request": { + "type": "boolean" + }, + "resp_filenames": { + "ignore_above": 1024, + "type": "keyword" + }, + "resp_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "resp_mime_depth": { + "type": "long" + }, + "resp_mime_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_header_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "trans_depth": { + "type": "long" + } + } + }, + "inner_vlan": { + "ignore_above": 1024, + "type": "keyword" + }, + "resp_l2_addr": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl": { + "properties": { + "cert_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_chain_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_cert_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_cert_chain_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "validation_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "settings": { + "index": { + "lifecycle": { + "name": "filebeat-7.0.0", + "rollover_alias": "filebeat-7.0.0" + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "number_of_replicas": "0", + "number_of_shards": "1", + "query": { + "default_field": [ + "tags", + "message", + "agent.version", + "agent.name", + "agent.type", + "agent.id", + "agent.ephemeral_id", + "client.address", + "client.mac", + "client.domain", + "client.geo.continent_name", + "client.geo.country_name", + "client.geo.region_name", + "client.geo.city_name", + "client.geo.country_iso_code", + "client.geo.region_iso_code", + "client.geo.name", + "cloud.provider", + "cloud.availability_zone", + "cloud.region", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.account.id", + "container.runtime", + "container.id", + "container.image.name", + "container.image.tag", + "container.name", + "destination.address", + "destination.mac", + "destination.domain", + "destination.geo.continent_name", + "destination.geo.country_name", + "destination.geo.region_name", + "destination.geo.city_name", + "destination.geo.country_iso_code", + "destination.geo.region_iso_code", + "destination.geo.name", + "ecs.version", + "error.id", + "error.message", + "error.code", + "event.id", + "event.kind", + "event.category", + "event.action", + "event.outcome", + "event.type", + "event.module", + "event.dataset", + "event.hash", + "event.timezone", + "file.path", + "file.target_path", + "file.extension", + "file.type", + "file.device", + "file.inode", + "file.uid", + "file.owner", + "file.gid", + "file.group", + "file.mode", + "group.id", + "group.name", + "host.hostname", + "host.name", + "host.id", + "host.mac", + "host.type", + "host.architecture", + "host.os.platform", + "host.os.name", + "host.os.full", + "host.os.family", + "host.os.version", + "host.os.kernel", + "host.geo.continent_name", + "host.geo.country_name", + "host.geo.region_name", + "host.geo.city_name", + "host.geo.country_iso_code", + "host.geo.region_iso_code", + "host.geo.name", + "http.request.method", + "http.request.body.content", + "http.request.referrer", + "http.response.body.content", + "http.version", + "log.level", + "network.name", + "network.type", + "network.iana_number", + "network.transport", + "network.application", + "network.protocol", + "network.direction", + "network.community_id", + "observer.mac", + "observer.hostname", + "observer.vendor", + "observer.version", + "observer.serial_number", + "observer.type", + "observer.os.platform", + "observer.os.name", + "observer.os.full", + "observer.os.family", + "observer.os.version", + "observer.os.kernel", + "observer.geo.continent_name", + "observer.geo.country_name", + "observer.geo.region_name", + "observer.geo.city_name", + "observer.geo.country_iso_code", + "observer.geo.region_iso_code", + "observer.geo.name", + "organization.name", + "organization.id", + "os.platform", + "os.name", + "os.full", + "os.family", + "os.version", + "os.kernel", + "process.name", + "process.args", + "process.executable", + "process.title", + "process.working_directory", + "server.address", + "server.mac", + "server.domain", + "server.geo.continent_name", + "server.geo.country_name", + "server.geo.region_name", + "server.geo.city_name", + "server.geo.country_iso_code", + "server.geo.region_iso_code", + "server.geo.name", + "service.id", + "service.name", + "service.type", + "service.state", + "service.version", + "service.ephemeral_id", + "source.address", + "source.mac", + "source.domain", + "source.geo.continent_name", + "source.geo.country_name", + "source.geo.region_name", + "source.geo.city_name", + "source.geo.country_iso_code", + "source.geo.region_iso_code", + "source.geo.name", + "url.original", + "url.full", + "url.scheme", + "url.domain", + "url.path", + "url.query", + "url.fragment", + "url.username", + "url.password", + "user.id", + "user.name", + "user.full_name", + "user.email", + "user.hash", + "user.group.id", + "user.group.name", + "user_agent.original", + "user_agent.name", + "user_agent.version", + "user_agent.device.name", + "user_agent.os.platform", + "user_agent.os.name", + "user_agent.os.full", + "user_agent.os.family", + "user_agent.os.version", + "user_agent.os.kernel", + "agent.hostname", + "error.type", + "cloud.project.id", + "kubernetes.pod.name", + "kubernetes.pod.uid", + "kubernetes.namespace", + "kubernetes.node.name", + "kubernetes.container.name", + "kubernetes.container.image", + "log.file.path", + "log.source.address", + "stream", + "input.type", + "syslog.severity_label", + "syslog.facility_label", + "process.program", + "log.flags", + "user_agent.os.full_name", + "fileset.name", + "apache.access.ssl.protocol", + "apache.access.ssl.cipher", + "apache.error.module", + "user.terminal", + "user.audit.id", + "user.audit.name", + "user.audit.group.id", + "user.audit.group.name", + "user.effective.id", + "user.effective.name", + "user.effective.group.id", + "user.effective.group.name", + "user.filesystem.id", + "user.filesystem.name", + "user.filesystem.group.id", + "user.filesystem.group.name", + "user.owner.id", + "user.owner.name", + "user.owner.group.id", + "user.owner.group.name", + "user.saved.id", + "user.saved.name", + "user.saved.group.id", + "user.saved.group.name", + "auditd.log.old_auid", + "auditd.log.new_auid", + "auditd.log.old_ses", + "auditd.log.new_ses", + "auditd.log.items", + "auditd.log.item", + "auditd.log.tty", + "auditd.log.a0", + "elasticsearch.component", + "elasticsearch.cluster.uuid", + "elasticsearch.cluster.name", + "elasticsearch.node.id", + "elasticsearch.node.name", + "elasticsearch.index.name", + "elasticsearch.index.id", + "elasticsearch.shard.id", + "elasticsearch.audit.layer", + "elasticsearch.audit.origin.type", + "elasticsearch.audit.realm", + "elasticsearch.audit.user.realm", + "elasticsearch.audit.user.roles", + "elasticsearch.audit.action", + "elasticsearch.audit.url.params", + "elasticsearch.audit.indices", + "elasticsearch.audit.request.id", + "elasticsearch.audit.request.name", + "elasticsearch.gc.phase.name", + "elasticsearch.gc.tags", + "elasticsearch.slowlog.logger", + "elasticsearch.slowlog.took", + "elasticsearch.slowlog.types", + "elasticsearch.slowlog.stats", + "elasticsearch.slowlog.search_type", + "elasticsearch.slowlog.source_query", + "elasticsearch.slowlog.extra_source", + "elasticsearch.slowlog.total_hits", + "elasticsearch.slowlog.total_shards", + "elasticsearch.slowlog.routing", + "elasticsearch.slowlog.id", + "elasticsearch.slowlog.type", + "haproxy.frontend_name", + "haproxy.backend_name", + "haproxy.server_name", + "haproxy.bind_name", + "haproxy.error_message", + "haproxy.source", + "haproxy.termination_state", + "haproxy.mode", + "haproxy.http.response.captured_cookie", + "haproxy.http.response.captured_headers", + "haproxy.http.request.captured_cookie", + "haproxy.http.request.captured_headers", + "haproxy.http.request.raw_request_line", + "icinga.debug.facility", + "icinga.main.facility", + "icinga.startup.facility", + "iis.access.site_name", + "iis.access.server_name", + "iis.access.cookie", + "iis.error.reason_phrase", + "iis.error.queue_name", + "iptables.fragment_flags", + "iptables.input_device", + "iptables.output_device", + "iptables.tcp.flags", + "iptables.ubiquiti.input_zone", + "iptables.ubiquiti.output_zone", + "iptables.ubiquiti.rule_number", + "iptables.ubiquiti.rule_set", + "kafka.log.component", + "kafka.log.class", + "kafka.log.trace.class", + "kafka.log.trace.message", + "kibana.log.tags", + "kibana.log.state", + "logstash.log.module", + "logstash.log.thread", + "text", + "logstash.slowlog.module", + "logstash.slowlog.thread", + "text", + "logstash.slowlog.event", + "text", + "logstash.slowlog.plugin_name", + "logstash.slowlog.plugin_type", + "logstash.slowlog.plugin_params", + "text", + "mongodb.log.component", + "mongodb.log.context", + "mysql.slowlog.query", + "mysql.slowlog.schema", + "mysql.slowlog.current_user", + "mysql.slowlog.last_errno", + "mysql.slowlog.killed", + "mysql.slowlog.log_slow_rate_type", + "mysql.slowlog.log_slow_rate_limit", + "mysql.slowlog.innodb.trx_id", + "netflow.type", + "netflow.exporter.address", + "netflow.source_mac_address", + "netflow.post_destination_mac_address", + "netflow.destination_mac_address", + "netflow.post_source_mac_address", + "netflow.interface_name", + "netflow.interface_description", + "netflow.sampler_name", + "netflow.application_description", + "netflow.application_name", + "netflow.class_name", + "netflow.wlan_ssid", + "netflow.vr_fname", + "netflow.metro_evc_id", + "netflow.nat_pool_name", + "netflow.p2p_technology", + "netflow.tunnel_technology", + "netflow.encrypted_technology", + "netflow.observation_domain_name", + "netflow.selector_name", + "netflow.information_element_description", + "netflow.information_element_name", + "netflow.virtual_station_interface_name", + "netflow.virtual_station_name", + "netflow.sta_mac_address", + "netflow.wtp_mac_address", + "netflow.user_name", + "netflow.application_category_name", + "netflow.application_sub_category_name", + "netflow.application_group_name", + "netflow.dot1q_customer_source_mac_address", + "netflow.dot1q_customer_destination_mac_address", + "netflow.mib_context_name", + "netflow.mib_object_name", + "netflow.mib_object_description", + "netflow.mib_object_syntax", + "netflow.mib_module_name", + "netflow.mobile_imsi", + "netflow.mobile_msisdn", + "netflow.http_request_method", + "netflow.http_request_host", + "netflow.http_request_target", + "netflow.http_message_version", + "netflow.http_user_agent", + "netflow.http_content_type", + "netflow.http_reason_phrase", + "osquery.result.name", + "osquery.result.action", + "osquery.result.host_identifier", + "osquery.result.calendar_time", + "postgresql.log.timestamp", + "postgresql.log.database", + "postgresql.log.query", + "redis.log.role", + "redis.slowlog.cmd", + "redis.slowlog.key", + "redis.slowlog.args", + "santa.action", + "santa.decision", + "santa.reason", + "santa.mode", + "santa.disk.volume", + "santa.disk.bus", + "santa.disk.serial", + "santa.disk.bsdname", + "santa.disk.model", + "santa.disk.fs", + "santa.disk.mount", + "certificate.common_name", + "certificate.sha256", + "hash.sha256", + "suricata.eve.event_type", + "suricata.eve.app_proto_orig", + "suricata.eve.tcp.tcp_flags", + "suricata.eve.tcp.tcp_flags_tc", + "suricata.eve.tcp.state", + "suricata.eve.tcp.tcp_flags_ts", + "suricata.eve.fileinfo.sha1", + "suricata.eve.fileinfo.state", + "suricata.eve.fileinfo.sha256", + "suricata.eve.fileinfo.md5", + "suricata.eve.dns.type", + "suricata.eve.dns.rrtype", + "suricata.eve.dns.rrname", + "suricata.eve.dns.rdata", + "suricata.eve.dns.rcode", + "suricata.eve.flow_id", + "suricata.eve.email.status", + "suricata.eve.http.redirect", + "suricata.eve.http.protocol", + "suricata.eve.http.http_content_type", + "suricata.eve.in_iface", + "suricata.eve.alert.category", + "suricata.eve.alert.signature", + "suricata.eve.ssh.client.proto_version", + "suricata.eve.ssh.client.software_version", + "suricata.eve.ssh.server.proto_version", + "suricata.eve.ssh.server.software_version", + "suricata.eve.tls.issuerdn", + "suricata.eve.tls.sni", + "suricata.eve.tls.version", + "suricata.eve.tls.fingerprint", + "suricata.eve.tls.serial", + "suricata.eve.tls.subject", + "suricata.eve.app_proto_ts", + "suricata.eve.flow.state", + "suricata.eve.flow.reason", + "suricata.eve.app_proto_tc", + "suricata.eve.smtp.rcpt_to", + "suricata.eve.smtp.mail_from", + "suricata.eve.smtp.helo", + "suricata.eve.app_proto_expected", + "system.auth.ssh.method", + "system.auth.ssh.signature", + "system.auth.sudo.error", + "system.auth.sudo.tty", + "system.auth.sudo.pwd", + "system.auth.sudo.user", + "system.auth.sudo.command", + "system.auth.useradd.home", + "system.auth.useradd.shell", + "traefik.access.user_identifier", + "traefik.access.frontend_name", + "traefik.access.backend_url", + "zeek.session_id", + "zeek.connection.state", + "zeek.connection.history", + "zeek.connection.orig_l2_addr", + "zeek.resp_l2_addr", + "zeek.vlan", + "zeek.inner_vlan", + "zeek.dns.query", + "zeek.dns.qclass_name", + "zeek.dns.qtype_name", + "zeek.dns.rcode_name", + "zeek.dns.answers", + "zeek.http.status_msg", + "zeek.http.info_msg", + "zeek.http.filename", + "zeek.http.tags", + "zeek.http.proxied", + "zeek.http.client_header_names", + "zeek.http.server_header_names", + "zeek.http.orig_fuids", + "zeek.http.orig_mime_types", + "zeek.http.orig_filenames", + "zeek.http.resp_fuids", + "zeek.http.resp_mime_types", + "zeek.http.resp_filenames", + "zeek.files.fuid", + "zeek.files.session_ids", + "zeek.files.source", + "zeek.files.analyzers", + "zeek.files.mime_type", + "zeek.files.filename", + "zeek.files.parent_fuid", + "zeek.files.md5", + "zeek.files.sha1", + "zeek.files.sha256", + "zeek.files.extracted", + "zeek.ssl.version", + "zeek.ssl.cipher", + "zeek.ssl.curve", + "zeek.ssl.server_name", + "zeek.ssl.next_protocol", + "zeek.ssl.cert_chain", + "zeek.ssl.cert_chain_fuids", + "zeek.ssl.client_cert_chain", + "zeek.ssl.client_cert_chain_fuids", + "zeek.ssl.issuer", + "zeek.ssl.client_issuer", + "zeek.ssl.validation_status", + "zeek.ssl.subject", + "zeek.ssl.client_subject", + "zeek.ssl.last_alert", + "fields.*" + ] + }, + "refresh_interval": "5s" + } + } + } +} \ No newline at end of file