From 960e824509de12a36ad3344fa326dea158f346c9 Mon Sep 17 00:00:00 2001
From: Ward Poelmans <wpoely86@gmail.com>
Date: Mon, 9 Dec 2024 18:48:27 +0100
Subject: [PATCH 1/2] pid and uid are numbers

---
 tests/data/general_syslog |  2 +-
 tests/data/pixiu          |  2 +-
 tests/data/singularity    |  8 ++++----
 tests/data/snoopy         | 14 +++++++-------
 tests/data/ssh            | 16 ++++++++--------
 tests/logstash_7.6.2.conf |  3 +++
 6 files changed, 24 insertions(+), 21 deletions(-)

diff --git a/tests/data/general_syslog b/tests/data/general_syslog
index 21868c7..73149cf 100644
--- a/tests/data/general_syslog
+++ b/tests/data/general_syslog
@@ -27,7 +27,7 @@ data = [
             "@source_host": "login3",
             "appname": "python2",
             "program": "python2",
-            "pid": "7245",
+            "pid": 7245,
         }
     },
 ]
diff --git a/tests/data/pixiu b/tests/data/pixiu
index bf9eda7..8f8c595 100644
--- a/tests/data/pixiu
+++ b/tests/data/pixiu
@@ -54,7 +54,7 @@ data = [
         "expected": {
             "@source_host": "C4STO01-Node2",
             "program": "libstorage-iostat-enable",
-            "pid": "1965645",
+            "pid": 1965645,
         },
     },
     {
diff --git a/tests/data/singularity b/tests/data/singularity
index 10d5ab3..990fd4c 100644
--- a/tests/data/singularity
+++ b/tests/data/singularity
@@ -22,8 +22,8 @@ data = [
         "program": "Singularity",
         "username": "wapoelma",
         "image": "tensorflow:latest",
-        "uid": "245890",
-        "pid": "4131",
+        "uid": 245890,
+        "pid": 4131,
         "executable": "action-suid",
         },
 },
@@ -31,8 +31,8 @@ data = [
     "raw": "<132>2017-11-22T11:09:29.204068+01:00 nic169 Singularity: action-suid (U=245890,P=13364)> Not mounting current directory: user bind control is disabled by system administrator",
     "expected" : {
         "program": "Singularity",
-        "uid": "245890",
-        "pid": "13364",
+        "uid": 245890,
+        "pid": 13364,
         "executable": "action-suid",
         "singularity_msg": "Not mounting current directory: user bind control is disabled by system administrator",
         },
diff --git a/tests/data/snoopy b/tests/data/snoopy
index 34d95df..6f772e6 100644
--- a/tests/data/snoopy
+++ b/tests/data/snoopy
@@ -3,7 +3,7 @@ data = [
     "raw": "<86>Apr 26 09:00:55 master2 snoopy[1301]: [uid:110 sid:8322 tty: cwd:/ filename:/bin/cut]: cut -d ; -f 4 ", 
     "expected" : {
         "program": "snoopy",
-        "pid": "1301",
+        "pid": 1301,
         "uid": 110,
         "sid": 8322,
         "command": "cut -d ; -f 4 ",
@@ -16,7 +16,7 @@ data = [
     "raw": "<86>1 2015-12-19T17:30:22.145124+01:00 gligar03 snoopy[27316]: - snoopy[27316]::  [uid:110 sid:9379 tty:(none) cwd:/ filename:/usr/lib64/nagios/plugins/hpc/check_ifutil.pl]: /usr/lib64/nagios/plugins/hpc/check_ifutil.pl -i em1.295 -w 90 -c 95 -p -b 10000m",
     "expected" : {
         "program": "snoopy",
-        "pid": "27316",
+        "pid": 27316,
         "uid": 110,
         "sid": 9379,
         "command": "/usr/lib64/nagios/plugins/hpc/check_ifutil.pl -i em1.295 -w 90 -c 95 -p -b 10000m",
@@ -30,7 +30,7 @@ data = [
     "raw": "<86>1 2015-12-20T09:59:40.844711+01:00 gligar03 snoopy[46513]: - snoopy[46513]:: [uid:2540337 sid:19403 tty:ERROR(ttyname_r->EUNKNOWN) cwd:/vscmnt/gent_vulpix/_/user/home/gent/vsc403/vsc40337/UCS_LABELLED_NEW/20000_to_30000 filename:/usr/bin/qsub]: qsub -l walltime=72:00:00 job7_21293_30000_doit",
     "expected" : {
         "program": "snoopy",
-        "pid": "46513",
+        "pid": 46513,
         "cwd": "/vscmnt/gent_vulpix/_/user/home/gent/vsc403/vsc40337/UCS_LABELLED_NEW/20000_to_30000",
         "uid": 2540337,
         "sid": 19403,
@@ -44,7 +44,7 @@ data = [
 "raw": "<86>1 2015-12-20T09:59:36.133039+01:00 master13 snoopy[36344]: [uid:0 sid:36288 tty: cwd:/ filename:/sbin/pidof]: pidof -c -o 36318 -o 36292 -o %PPID -x cdp-listend",
     "expected" : {
         "program": "snoopy",
-        "pid": "36344",
+        "pid": 36344,
         "cwd": "/",
         "uid": 0,
         "sid": 36288,
@@ -57,7 +57,7 @@ data = [
 "raw": "<86>1 2015-12-08T16:59:54.996042+01:00 gligar01 snoopy[30093]: - snoopy[30093]:: [uid:2540003 sid:29974 tty:/dev/pts/7 cwd:/vscmnt/gent_vulpix/_/user/home/gent/vsc400/vsc40003 filename:/user/home/gent/vsc400/vsc40003/easybuild_easyinstalled/bin/easy_install]: easy_install -U --prefix /user/home/gent/vsc400/vsc40003/easybuild_easyinstalled https://github.com/hpcugent/easybuild-framework/archive/develop.tar.gz",
     "expected" : {
         "program": "snoopy",
-        "pid": "30093",
+        "pid": 30093,
         "cwd": "/vscmnt/gent_vulpix/_/user/home/gent/vsc400/vsc40003",
         "uid": 2540003,
         "sid": 29974,
@@ -74,7 +74,7 @@ data = [
         'command':'tr [:lower:] [:upper:]',
         'cwd':'/home/wpoelman',
         'executable':'/usr/bin/tr',
-        'pid':'12006',
+        'pid':12006,
         'sid': 11944,
         'tty':'(none)',
         'uid': 2009,
@@ -89,7 +89,7 @@ data = [
         'command':'cut -d. -f2',
         'cwd':'/vscmnt/gent_vulpix/_/user/home/gent/vsc416/vsc41677/project/AAN/HF_6_31++Gdp/NBO',
         'executable':'/bin/cut',
-        'pid':'43645',
+        'pid':43645,
         'sid': 39946,
         'tty':'(none)',
         'uid': 2541677,
diff --git a/tests/data/ssh b/tests/data/ssh
index 30def79..884e1b3 100644
--- a/tests/data/ssh
+++ b/tests/data/ssh
@@ -24,7 +24,7 @@ data = [
     "raw": "<86>Apr 26 11:25:44 node2104 sshd[44668]: Accepted publickey for vsc40000 from 172.24.13.2 port 43493 ssh2",
     "expected" : {
         'method': 'publickey',
-        'pid': '44668',
+        'pid': 44668,
         'port': 43493,
         'program': 'sshd',
         'status': 'Accepted',
@@ -37,7 +37,7 @@ data = [
     "raw": "<86>Apr 26 11:25:44 node2104 sshd[44558]: Received disconnect from 172.24.13.2: 11: disconnected by user",
     "expected" : {
         'ip': '172.24.13.2',
-        'pid': '44558',
+        'pid': 44558,
         'program': 'sshd',
         'reason': 'disconnected by user',
     },
@@ -62,7 +62,7 @@ data = [
     "raw": "<86>Apr 26 11:17:51 gligar02 sshd[11243]: input_userauth_request: invalid user vsc40000",
     "expected" : {
         'inputuserauth': 'invalid user vsc40000',
-        'pid': '11243',
+        'pid': 11243,
         'program': 'sshd',
     },
 },
@@ -73,7 +73,7 @@ data = [
     "raw": "2015-03-18T14:09:15.962645+01:00 node2432 sshd[26270]: Authentication refused: bad ownership or modes for file /vscmnt/gent_vulpix/_/user/home/gent/vsc404/vsc40479/.ssh/authorized_keys",
     "expected" : {
         'ownerpath': '/vscmnt/gent_vulpix/_/user/home/gent/vsc404/vsc40479/.ssh/authorized_keys',
-        'pid': '26270',
+        'pid': 26270,
         'program': 'sshd',
     },
 },
@@ -81,7 +81,7 @@ data = [
     "raw": "<86>1 2015-03-24T15:16:09.252883+01:00 gligar01 sshd[48764]: - sshd[48764]:: input_userauth_request: invalid user vsc40001",
     "expected" : {
         'inputuserauth': 'invalid user vsc40001',
-        'pid': '48764',
+        'pid': 48764,
         'program': 'sshd',
     },
 },
@@ -89,7 +89,7 @@ data = [
     "raw": "<86>1 2015-03-20T11:00:59.922704+01:00 gligar01 sshd[9215]: - sshd[9215]:: subsystem request for sftp",
     "expected" : {
         'program': 'sshd',
-        'pid': '9215',
+        'pid': 9215,
         'subsystem': 'sftp',
     },
 },
@@ -97,7 +97,7 @@ data = [
     "raw": "<86>1 2015-03-19T10:53:18.185704+01:00 hyp105 sshd[5170]: - sshd[5170]:: Received disconnect from 10.141.2.11: 11: disconnected by user",
     "expected" : {
         'ip': '10.141.2.11',
-        'pid': '5170',
+        'pid': 5170,
         'program': 'sshd',
         'reason': 'disconnected by user',
     },
@@ -106,7 +106,7 @@ data = [
     "raw": "<86>1 2015-03-19T10:42:03.145881+01:00 hyp108 sshd[8245]: - sshd[8245]:: Accepted publickey for oneadmin from 10.141.2.11 port 55141 ssh2: DSA d0:a6:12:8f:48:50:c5:78:31:bd:5b:40:1b:78:fb:88",
     "expected" : {
         'method': 'publickey',
-        'pid': '8245',
+        'pid': 8245,
         'port': 55141,
         'program': 'sshd',
         'status': 'Accepted',
diff --git a/tests/logstash_7.6.2.conf b/tests/logstash_7.6.2.conf
index ab03849..9a13c9d 100644
--- a/tests/logstash_7.6.2.conf
+++ b/tests/logstash_7.6.2.conf
@@ -89,6 +89,9 @@ filter {
             "quota_space_limit" => "integer"
             "quota_used" => "integer"
             "quota_limit" => "integer"
+            "pid" => "integer"
+            "bash_pid" => "integer"
+            "uid" => "integer"
         }
     }
 }

From 5a849a2c99b9254e5426102f35b5712af7929b43 Mon Sep 17 00:00:00 2001
From: Ward Poelmans <wpoely86@gmail.com>
Date: Mon, 9 Dec 2024 18:48:40 +0100
Subject: [PATCH 2/2] fix bash history pattern

---
 files/bash      |  2 +-
 tests/data/bash | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/files/bash b/files/bash
index fe20102..0d6f2a0 100644
--- a/files/bash
+++ b/files/bash
@@ -1 +1 @@
-BASH_MSG HISTORY: PID=%{INT:pid:int} UID=%{INT:uid:int} %{GREEDYDATA:command}
+BASH_MSG HISTORY: PID=%{INT:bash_pid} UID=%{INT:uid} %{GREEDYDATA:command}
diff --git a/tests/data/bash b/tests/data/bash
index a059575..57b2026 100644
--- a/tests/data/bash
+++ b/tests/data/bash
@@ -6,8 +6,19 @@ data = [
         "@source_host": "master01",
         "program": "-bash",
         "uid": 0,
-        "pid": 23883,
+        "bash_pid": 23883,
         "command": "echo boem",
     }
 },
+{
+    "raw": "<14>1 2024-12-09T11:18:16.406259+01:00 storctrl02 -bash[1102070]: - -bash:  HISTORY: PID=1102070 UID=4005 sudo cat /etc/cron.d/aad-*",
+    "expected": {
+        "@source_host": "storctrl02",
+        "program": "-bash",
+        "uid": 4005,
+        "pid": 1102070,
+        "bash_pid": 1102070,
+        "command": "sudo cat /etc/cron.d/aad-*",
+    }
+},
 ]