Skip to content

Commit

Permalink
Remove dot from file.extension value in Auditbeat FIM (elastic#21644)
Browse files Browse the repository at this point in the history
The ECS file.extension field should not include the dot. For example the value should be "png" and not ".png".

Relates elastic/ecs#1016
  • Loading branch information
andrewkroh authored Oct 13, 2020
1 parent a3fe796 commit 500e8b5
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 3 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Change event.kind=error to event.kind=event to comply with ECS. {issue}18870[18870] {pull}20685[20685]
- Change network.direction values to ECS recommended values (inbound, outbound). {issue}12445[12445] {pull}20695[20695]
- Docker container needs to be explicitly run as user root for auditing. {pull}21202[21202]
- File integrity dataset no longer includes the leading dot in `file.extension` values (e.g. it will report "png" instead of ".png") to comply with ECS. {pull}21644[21644]

*Filebeat*

Expand Down
2 changes: 1 addition & 1 deletion auditbeat/module/file_integrity/event.go
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,7 @@ func buildMetricbeatEvent(e *Event, existedBefore bool) mb.Event {

if e.Info.Type == FileType {
if extension := filepath.Ext(e.Path); extension != "" {
file["extension"] = extension
file["extension"] = strings.TrimLeft(extension, ".")
}
if mimeType := getMimeType(e.Path); mimeType != "" {
file["mime_type"] = mimeType
Expand Down
11 changes: 9 additions & 2 deletions auditbeat/module/file_integrity/event_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import (
"time"

"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"

"github.com/elastic/beats/v7/libbeat/common"
)
Expand Down Expand Up @@ -295,7 +296,11 @@ func TestBuildEvent(t *testing.T) {
assertHasKey(t, fields, "event.type")

assertHasKey(t, fields, "file.path")
assertHasKey(t, fields, "file.extension")
if assertHasKey(t, fields, "file.extension") {
ext, err := fields.GetValue("file.extension")
require.NoError(t, err)
assert.Equal(t, ext, "txt")
}
assertHasKey(t, fields, "file.target_path")
assertHasKey(t, fields, "file.inode")
assertHasKey(t, fields, "file.uid")
Expand Down Expand Up @@ -427,10 +432,12 @@ func mustDecodeHex(v string) []byte {
return data
}

func assertHasKey(t testing.TB, m common.MapStr, key string) {
func assertHasKey(t testing.TB, m common.MapStr, key string) bool {
t.Helper()
found, err := m.HasKey(key)
if err != nil || !found {
t.Errorf("key %v not found: %v", key, err)
return false
}
return true
}

0 comments on commit 500e8b5

Please sign in to comment.