Mattermost

Collect logs from Mattermost with Elastic Agent.

What is an Elastic integration?
Version
2.1.0 (View all)
Compatible Kibana version(s)
8.13.0 or higher
Supported Serverless project types

What's this?
Security
Observability
Subscription level
What's this?
Basic
Level of support
What's this?
Community

The Mattermost integration collects logs from Mattermost servers. This integration has been tested with Mattermost version 5.31.9 but is expected to work with other versions.

Logs

Audit

All access to the Mattermost REST API or CLI is audited.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
Data stream dataset name.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset
constant_keyword
event.module
Event module
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
input.type
Type of Filebeat input.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
mattermost.audit.api_path
REST API endpoint
keyword
mattermost.audit.channel.id
ID of affected channel
keyword
mattermost.audit.channel.name
Name of affected channel
keyword
mattermost.audit.channel.type
Type of affected channel
keyword
mattermost.audit.cluster.id
Mattermost cluster ID
keyword
mattermost.audit.error.message
Mattermost error message
keyword
mattermost.audit.patch.id
ID of patched channel/team/user...
keyword
mattermost.audit.patch.name
Name of patched channel/team/user...
keyword
mattermost.audit.patch.roles
Roles of patched user
keyword
mattermost.audit.patch.type
Type of patched channel/team/user...
keyword
mattermost.audit.post.channel.id
Channel ID of post
keyword
mattermost.audit.post.id
Post ID
keyword
mattermost.audit.post.pinned
Whether or not the post was pinned to the channel
boolean
mattermost.audit.related.channel
List of channels realted to the event
keyword
mattermost.audit.related.team
List of channels realted to the event
keyword
mattermost.audit.session.id
ID of session used to call the API
keyword
mattermost.audit.status
Outcome of action/event, ex. success, fail, attempt...
keyword
mattermost.audit.team.id
ID of affected team
keyword
mattermost.audit.team.name
Name of affected team
keyword
mattermost.audit.team.type
Type of affected team
keyword

An example event for audit looks as following:

{
    "@timestamp": "2021-12-04T23:19:32.051Z",
    "agent": {
        "ephemeral_id": "3a1ecfb2-18a4-46c9-9996-65f6853ed739",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "mattermost.audit",
        "namespace": "26102",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "updateConfig",
        "agent_id_status": "verified",
        "category": [
            "configuration"
        ],
        "dataset": "mattermost.audit",
        "ingested": "2024-06-12T03:15:44Z",
        "kind": "event",
        "original": "{\"timestamp\":\"2021-12-04 23:19:32.051 Z\",\"event\":\"updateConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"172.19.0.1\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}",
        "outcome": "success",
        "type": [
            "change"
        ]
    },
    "host": {
        "architecture": "x86_64",
        "containerized": false,
        "hostname": "docker-fleet-agent",
        "id": "8259e024976a406e8a54cdbffeb84fec",
        "ip": [
            "172.19.0.7"
        ],
        "mac": [
            "02-42-AC-13-00-07"
        ],
        "name": "docker-fleet-agent",
        "os": {
            "codename": "focal",
            "family": "debian",
            "kernel": "6.5.11-linuxkit",
            "name": "Ubuntu",
            "platform": "ubuntu",
            "type": "linux",
            "version": "20.04.6 LTS (Focal Fossa)"
        }
    },
    "input": {
        "type": "log"
    },
    "log": {
        "file": {
            "path": "/tmp/service_logs/audit.log"
        },
        "offset": 0
    },
    "mattermost": {
        "audit": {
            "api_path": "/api/v4/config",
            "cluster": {
                "id": "jq3utry71f8a7q9qgebmjccf4r"
            },
            "session": {
                "id": "pjh4n69j3p883k7hhzippskcba"
            }
        }
    },
    "related": {
        "ip": [
            "172.19.0.1"
        ],
        "user": [
            "ag99yu4i1if63jrui63tsmq57y"
        ]
    },
    "source": {
        "address": "172.19.0.1",
        "ip": "172.19.0.1"
    },
    "tags": [
        "mattermost-audit",
        "preserve_original_event"
    ],
    "url": {
        "original": "/api/v4/config",
        "path": "/api/v4/config"
    },
    "user": {
        "id": "ag99yu4i1if63jrui63tsmq57y"
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Chrome",
        "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",
        "os": {
            "full": "Windows 10",
            "name": "Windows",
            "version": "10"
        },
        "version": "96.0.4664.45"
    }
}

Changelog

VersionDetailsKibana version(s)

2.1.0

Enhancement View pull request
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

2.0.1

Bug fix View pull request
Fix sample event.

7.16.0 or higher
8.0.0 or higher

2.0.0

Enhancement View pull request
Make event.type field conform to ECS field definition.

7.16.0 or higher
8.0.0 or higher

1.18.0

Enhancement View pull request
Update manifest format version to v3.0.3.

7.16.0 or higher
8.0.0 or higher

1.17.3

Bug fix View pull request
Clean up null handling and Painless scripts

7.16.0 or higher
8.0.0 or higher

1.17.2

Enhancement View pull request
Changed owners

7.16.0 or higher
8.0.0 or higher

1.17.1

Bug fix View pull request
Fix exclude_files pattern.

7.16.0 or higher
8.0.0 or higher

1.17.0

Enhancement View pull request
ECS version updated to 8.11.0.

7.16.0 or higher
8.0.0 or higher

1.16.0

Enhancement View pull request
Improve 'event.original' check to avoid errors if set.

7.16.0 or higher
8.0.0 or higher

1.15.0

Enhancement View pull request
Set 'community' owner type.

7.16.0 or higher
8.0.0 or higher

1.14.0

Enhancement View pull request
ECS version updated to 8.10.0.

7.16.0 or higher
8.0.0 or higher

1.13.0

Enhancement View pull request
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest.

7.16.0 or higher
8.0.0 or higher

1.12.0

Enhancement View pull request
Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

7.16.0 or higher
8.0.0 or higher

1.11.0

Enhancement View pull request
Update package to ECS 8.9.0.

7.16.0 or higher
8.0.0 or higher

1.10.0

Enhancement View pull request
Ensure event.kind is correctly set for pipeline errors.

7.16.0 or higher
8.0.0 or higher

1.9.0

Enhancement View pull request
Update package to ECS 8.8.0.

7.16.0 or higher
8.0.0 or higher

1.8.0

Enhancement View pull request
Update package-spec version to 2.7.0.

7.16.0 or higher
8.0.0 or higher

1.7.0

Enhancement View pull request
Update package to ECS 8.7.0.

7.16.0 or higher
8.0.0 or higher

1.6.1

Enhancement View pull request
Added categories and/or subcategories.

7.16.0 or higher
8.0.0 or higher

1.6.0

Enhancement View pull request
Update package to ECS 8.6.0.

7.16.0 or higher
8.0.0 or higher

1.5.0

Enhancement View pull request
Update package to ECS 8.5.0.

7.16.0 or higher
8.0.0 or higher

1.4.2

Enhancement View pull request
Add link to Mattermost documentation.

7.16.0 or higher
8.0.0 or higher

1.4.1

Enhancement View pull request
Use ECS geo.location definition.

7.16.0 or higher
8.0.0 or higher

1.4.0

Enhancement View pull request
Update package to ECS 8.4.0

7.16.0 or higher
8.0.0 or higher

1.3.1

Enhancement View pull request
Update package name and description to align with standard wording

7.16.0 or higher
8.0.0 or higher

1.3.0

Enhancement View pull request
Update package to ECS 8.3.0.

7.16.0 or higher
8.0.0 or higher

1.2.0

Enhancement View pull request
Update to ECS 8.2

7.16.0 or higher
8.0.0 or higher

1.1.1

Enhancement View pull request
Add documentation for multi-fields

7.16.0 or higher
8.0.0 or higher

1.1.0

Enhancement View pull request
Update to ECS 8.0

7.16.0 or higher
8.0.0 or higher

1.0.0

Enhancement View pull request
Initial draft of the package

7.16.0 or higher
8.0.0 or higher

On this page