Rename file integrity fields

This creates three groups of fields in the file integrity module `event`, `hash`, and `file`.

It also changes `dataset.module` to `event.module` for all modules.

elastic#5423

CHANGELOG.asciidoc

@@ -26,6 +26,7 @@ https://github.com/elastic/beats/compare/v6.0.0-beta2...master[Check the HEAD di
 - Split the audit.kernel and audit.file metricsets into their own modules
   named auditd and file_integrity, respectively. This change requires
   existing users to update their config. {issue}5422[5422]
+- Renamed file_integrity module fields. {issue}5423[5423] {pull}5995[5995]
 
 *Filebeat*
 - Switch to docker prospector in sample manifests for Kubernetes deployment {pull}5963[5963]

auditbeat/Makefile

@@ -18,7 +18,7 @@ before-build:
 	     ${ES_BEATS}/libbeat/_meta/config.yml > \
 	     ${PREFIX}/${BEAT_NAME}-win.yml
 	@cat ${ES_BEATS}/auditbeat/_meta/common.reference.yml \
-	     <(go run scripts/generate_config.go -os windows -concat) \
+	     <(go run scripts/generate_config.go -os windows -concat -ref) \
 	     ${ES_BEATS}/libbeat/_meta/config.reference.yml > \
 	     ${PREFIX}/${BEAT_NAME}-win.reference.yml
 
@@ -28,7 +28,7 @@ before-build:
 	     ${ES_BEATS}/libbeat/_meta/config.yml > \
 	     ${PREFIX}/${BEAT_NAME}-darwin.yml
 	@cat ${ES_BEATS}/auditbeat/_meta/common.reference.yml \
-	     <(go run scripts/generate_config.go -os darwin -concat) \
+	     <(go run scripts/generate_config.go -os darwin -concat -ref) \
 	     ${ES_BEATS}/libbeat/_meta/config.reference.yml > \
 	     ${PREFIX}/${BEAT_NAME}-darwin.reference.yml
 
@@ -38,7 +38,7 @@ before-build:
 	     ${ES_BEATS}/libbeat/_meta/config.yml > \
 	     ${PREFIX}/${BEAT_NAME}-linux.yml
 	@cat ${ES_BEATS}/auditbeat/_meta/common.reference.yml \
-	     <(go run scripts/generate_config.go -os linux -concat) \
+	     <(go run scripts/generate_config.go -os linux -concat -ref) \
 	     ${ES_BEATS}/libbeat/_meta/config.reference.yml > \
 	     ${PREFIX}/${BEAT_NAME}-linux.reference.yml
 

auditbeat/_meta/fields.common.yml

@@ -3,7 +3,7 @@
   description: >
     Contains common fields available in all event types.
   fields:
-    - name: dataset.module
+    - name: event.module
       description: >
         The name of the module that generated the event.
 

auditbeat/core/eventmod.go

@@ -12,5 +12,5 @@ func AddDatasetToEvent(module, metricSet string, event *mb.Event) {
 		event.RootFields = common.MapStr{}
 	}
 
-	event.RootFields.Put("dataset.module", module)
+	event.RootFields.Put("event.module", module)
 }

auditbeat/docs/fields.asciidoc

@@ -2092,7 +2092,7 @@ Contains common fields available in all event types.
 
 
 [float]
-=== `dataset.module`
+=== `event.module`
 
 The name of the module that generated the event.
 
@@ -2144,91 +2144,89 @@ Image labels.
 These are the fields generated by the file_integrity module.
 
 
+[float]
+=== `event.action`
+
+type: keyword
+
+example: attributes_modified
+
+Action describes the change that triggered the event. The possible values are: attributes_modified, created, deleted, updated, moved, and config_change.
+
+
+[float]
+== file fields
+
+File attributes.
 
 
 [float]
-=== `audit.file.path`
+=== `file.path`
 
 type: text
 
 The path to the file.
 
 [float]
-=== `audit.file.path.raw`
+=== `file.path.raw`
 
 type: keyword
 
 The path to the file. This is an non-analyzed field that is useful for aggregations.
 
 
 [float]
-=== `audit.file.target_path`
+=== `file.target_path`
 
 type: keyword
 
 The target path for symlinks.
 
 [float]
-=== `audit.file.action`
-
-type: keyword
-
-example: attributes_modified
-
-Action describes the change that triggered the event. The possible values are: attributes_modified, created, deleted, updated, moved, and config_change.
-
-
-[float]
-=== `audit.file.type`
+=== `file.type`
 
 type: keyword
 
 The file type (file, dir, or symlink).
 
 [float]
-=== `audit.file.inode`
+=== `file.inode`
 
 type: keyword
 
 The inode representing the file in the filesystem.
 
 [float]
-=== `audit.file.uid`
+=== `file.uid`
 
 type: keyword
 
-The user ID (UID) of the file owner.
+The user ID (UID) or security identifier (SID) of the file owner.
+
 
 [float]
-=== `audit.file.owner`
+=== `file.owner`
 
 type: keyword
 
 The file owner's username.
 
 [float]
-=== `audit.file.gid`
+=== `file.gid`
 
 type: keyword
 
 The primary group ID (GID) of the file.
 
 [float]
-=== `audit.file.group`
+=== `file.group`
 
 type: keyword
 
 The primary group name of the file.
 
 [float]
-=== `audit.file.sid`
-
-type: keyword
-
-The security identifier (SID) of the file owner (Windows only).
-
-[float]
-=== `audit.file.mode`
+=== `file.mode`
 
 type: keyword
 
@@ -2237,7 +2235,7 @@ example: 416
 The mode of the file in octal representation.
 
 [float]
-=== `audit.file.setuid`
+=== `file.setuid`
 
 type: boolean
 
@@ -2246,7 +2244,7 @@ example: True
 Set if the file has the `setuid` bit set. Omitted otherwise.
 
 [float]
-=== `audit.file.setgid`
+=== `file.setgid`
 
 type: boolean
 
@@ -2255,146 +2253,146 @@ example: True
 Set if the file has the `setgid` bit set. Omitted otherwise.
 
 [float]
-=== `audit.file.size`
+=== `file.size`
 
 type: long
 
 The file size in bytes (field is only added when `type` is `file`).
 
 [float]
-=== `audit.file.mtime`
+=== `file.mtime`
 
 type: date
 
 The last modified time of the file (time when content was modified).
 
 [float]
-=== `audit.file.ctime`
+=== `file.ctime`
 
 type: date
 
 The last change time of the file (time when metadata was changed).
 
 [float]
-=== `audit.file.hashed`
+=== `file.origin`
 
-type: boolean
+type: keyword
+
+An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.
 
-Boolean indicating if the event includes any file hashes.
 
 [float]
-=== `audit.file.blake2b_256`
+== hash fields
+
+Hashes of the file. The keys are algorithm names and the values are the hex encoded digest values.
+
+
+
+[float]
+=== `hash.blake2b_256`
 
 type: keyword
 
 BLAKE2b-256 hash of the file.
 
 [float]
-=== `audit.file.blake2b_384`
+=== `hash.blake2b_384`
 
 type: keyword
 
 BLAKE2b-384 hash of the file.
 
 [float]
-=== `audit.file.blake2b_512`
+=== `hash.blake2b_512`
 
 type: keyword
 
 BLAKE2b-512 hash of the file.
 
 [float]
-=== `audit.file.md5`
+=== `hash.md5`
 
 type: keyword
 
 MD5 hash of the file.
 
 [float]
-=== `audit.file.sha1`
+=== `hash.sha1`
 
 type: keyword
 
 SHA1 hash of the file.
 
 [float]
-=== `audit.file.sha224`
+=== `hash.sha224`
 
 type: keyword
 
 SHA224 hash of the file.
 
 [float]
-=== `audit.file.sha256`
+=== `hash.sha256`
 
 type: keyword
 
 SHA256 hash of the file.
 
 [float]
-=== `audit.file.sha384`
+=== `hash.sha384`
 
 type: keyword
 
 SHA384 hash of the file.
 
 [float]
-=== `audit.file.sha3_224`
+=== `hash.sha3_224`
 
 type: keyword
 
 SHA3_224 hash of the file.
 
 [float]
-=== `audit.file.sha3_256`
+=== `hash.sha3_256`
 
 type: keyword
 
 SHA3_256 hash of the file.
 
 [float]
-=== `audit.file.sha3_384`
+=== `hash.sha3_384`
 
 type: keyword
 
 SHA3_384 hash of the file.
 
 [float]
-=== `audit.file.sha3_512`
+=== `hash.sha3_512`
 
 type: keyword
 
 SHA3_512 hash of the file.
 
 [float]
-=== `audit.file.sha512`
+=== `hash.sha512`
 
 type: keyword
 
 SHA512 hash of the file.
 
 [float]
-=== `audit.file.sha512_224`
+=== `hash.sha512_224`
 
 type: keyword
 
 SHA512/224 hash of the file.
 
 [float]
-=== `audit.file.sha512_256`
+=== `hash.sha512_256`
 
 type: keyword
 
 SHA512/256 hash of the file.
 
-[float]
-=== `audit.file.origin`
-
-type: keyword
-
-An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.
-
-
 [[exported-fields-kubernetes-processor]]
 == Kubernetes fields
 

auditbeat/module/auditd/_meta/data.json

@@ -36,7 +36,7 @@
         "hostname": "host.example.com",
         "name": "host.example.com"
     },
-    "dataset": {
+    "event": {
         "module": "auditd"
     }
 }