[adaxes] Add new integration for Softerra Adaxes operation logs#18947
Open
c3dn wants to merge 6 commits into
Open
[adaxes] Add new integration for Softerra Adaxes operation logs#18947c3dn wants to merge 6 commits into
c3dn wants to merge 6 commits into
Conversation
Initial release. Receives Softerra Adaxes operation logs over syslog
(UDP/TCP) and parses them into ECS-aligned events under the
logs-adaxes.operations data stream.
The integration:
- UDP and TCP inputs (default port 9514; Adaxes default is 514, remap
externally where needed).
- ES ingest pipeline strips the tagless RFC3164 header that Adaxes
emits, decodes PRI into log.syslog.facility/severity, then parses the
pipe-delimited operation body. Both real-Adaxes shapes are handled:
3-field <initiator>|<operation>|<result> and 2-field
<operation>|<result> (system-initiated). Customised log templates
using "Operation:/Target:/Initiator:/Initiator Host:/Result:" labels
or "Initiator=...|Operation=...|Target=...|Result=..." are also
matched as lower-priority patterns.
- Initiator field "Name (N) (email)" sub-parsed into user.name,
user.email, and adaxes.initiator.sequence.
- Severity 3 + non-Success result text is mapped to event.outcome=
failure with the message captured into adaxes.result.reason; this
correctly tags failed privileged operations (denied delete, password
reset access-denied, etc.).
- event.action derivation covers the documented Adaxes operation
vocabulary: object_created/deleted/modified/disabled/enabled/
unlocked/moved/renamed/copied, password_reset/changed,
membership_added/removed, powershell_executed, mailbox_created,
notification_sent, custom_command_executed, scheduled_task_executed,
report_requested/generated/delivered/document_created/
overview_built, request_approved/denied, authentication.
- Maps to ECS user.name/email, source.address (from customised
template), observer.{vendor,product,type}; fingerprints event.id
(SHA-256 over @timestamp / description / target / initiator) for
dedup.
- Preserves the raw payload under event.original.
Pipeline test fixture covers 38 events: 15 anonymized real production
samples (varied verbs, scheduled-task initiators, German and English
descriptions, success and access-denied), 7 fresh samples from a
live Adaxes 2026.1 lab install (create with property list, multi-prop
update, multi-member group add, fail-on-built-in-account-delete,
build report overview), plus synthetic coverage of customised
templates and raw <PRI>-prefixed lines.
End-to-end validated against a real Softerra Adaxes 2026.1 trial
install on Windows Server 2022. Wire bytes from Adaxes' own UDP socket
land in logs-adaxes.operations-default with every field correctly
populated, including the failure path (event.outcome=failure with
adaxes.result.reason set from the Adaxes-emitted error message).
The changelog link will be updated to this PR's URL once the PR
number is assigned.
|
❌ Author of the following commits did not sign a Contributor Agreement: Please, read and sign the above mentioned agreement if you want to contribute to this project |
ReviewersBuildkite won't run for external contributors automatically; you need to add a comment:
NOTE: https://github.com/elastic/integrations/blob/main/.buildkite/pull-requests.json contains all those details. |
c3dn
pushed a commit
to c3dn/integrations
that referenced
this pull request
May 11, 2026
c3dn
force-pushed
the
community/adaxes-integration-v0.1.0
branch
from
b52dfb1 to
bf0edb0
Compare
Clarifies community status and disclaims affiliation with Softerra Ltd. per nominative fair use convention.
The initiator sub-parser anchored the name capture at the first '(' via
[^(]+?, so display names containing parens — e.g.
"Bob Smith (disabled) (bob@corp.com)" or "John (IT) (1) (john@example.com)" —
failed silently: adaxes.initiator.name kept the raw string but user.name,
user.email, and adaxes.initiator.sequence were not populated.
Switching to .+? lets the trailing ')$' anchor backtrack across inner
parens and still latch onto the final email parens. Baseline patterns
(UserB (2) (userb@example.com), Administrator (admin@adaxes.local))
parse identically; paren-in-name variants now parse correctly.
andrewkroh
added
needs CLA
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a community integration that ingests Softerra Adaxes operation logs over syslog (UDP/TCP) into the
logs-adaxes.operationsdata stream.log.syslog.facility/severity, then parses the pipe-delimited operation body — both real shapes (<initiator>|<operation>|<result>and<operation>|<result>) plus two customised-template fallbacks.Name (N) (email)is sub-parsed intouser.name,user.email,adaxes.initiator.sequence.event.outcome=failurewithadaxes.result.reasonpopulated. Captures denied deletes, password-reset access-denied, etc.event.actionderived for ~20 Adaxes verbs (user lifecycle, password ops, group membership, PowerShell, mailbox, notification, report, scheduled task).user.name/email,source.address,observer.*, fingerprintedevent.id(SHA-256) for dedup,event.originalpreserved.Why
Adaxes is widely deployed for AD administration and its service log is the audit trail of every directory change. Today operators roll their own Logstash/grok; this ships a turnkey ECS-aligned data stream so failed privileged operations are detectable in Kibana / Elastic Security out of the box.
How to test
Validation
elastic-package checkclean.elastic-package test pipeline— 38 events: 15 anonymized real production samples (varied verbs, scheduled-task initiators, German + English descriptions, success and access-denied), 7 fresh samples from a live Adaxes 2026.1 lab install, plus synthetic coverage of customised templates and raw<PRI>-prefixed lines.logs-adaxes.operations-defaultwith every field correctly populated — including the failure path (built-in-account deletion attempt →event.outcome=failure,adaxes.result.reason="Cannot perform this operation on built-in accounts").Checklist
changelog.ymlentry addedkibana.version: ^9.3.3elastic-package check+elastic-package test pipelinepass locally/packages/adaxes @c3dn)tag; pipeline has top-levelon_failure