Improve ECS categorization field mappings for mssql module.

- event.kind - event.category - event.type Closes #16171
elastic · Mar 31, 2020 · 020fe5e · 020fe5e
1 parent 8486777
commit 020fe5e
Show file tree

Hide file tree

Showing 3 changed files with 115 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -216,6 +216,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Added new module `crowdstrike` for ingesting Crowdstrike Falcon streaming API endpoint event data. {pull}16988[16988]
 - Added documentation for running Filebeat in Cloud Foundry. {pull}17275[17275]
 - Move azure-eventhub input to GA. {issue}15671[15671] {pull}17313[17313]
+- Improve ECS categorization field mappings for mssql module. {issue}16171[16171] {pull}17376[17376]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/mssql/log/ingest/pipeline.yml b/x-pack/filebeat/module/mssql/log/ingest/pipeline.yml
@@ -35,6 +35,15 @@ processors:
     field: msg_temp
     target_field: message
     ignore_missing: true
+- set:
+    field: event.kind
+    value: event
+- append:
+    field: event.category
+    value: database
+- append:
+    field: event.type
+    value: info
 on_failure:
 - set:
     field: error.message

diff --git a/x-pack/filebeat/module/mssql/log/test/test.log-expected.json b/x-pack/filebeat/module/mssql/log/test/test.log-expected.json
@@ -1,9 +1,16 @@
 [
     {
         "@timestamp": "2019-05-03T09:01:09.990-02:00",
+        "event.category": [
+            "database"
+        ],
         "event.dataset": "mssql.log",
+        "event.kind": "event",
         "event.module": "mssql",
         "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.flags": [
@@ -17,9 +24,16 @@
     },
     {
         "@timestamp": "2019-05-03T09:01:09.990-02:00",
+        "event.category": [
+            "database"
+        ],
         "event.dataset": "mssql.log",
+        "event.kind": "event",
         "event.module": "mssql",
         "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 226,
@@ -30,9 +44,16 @@
     },
     {
         "@timestamp": "2019-05-03T09:01:09.990-02:00",
+        "event.category": [
+            "database"
+        ],
         "event.dataset": "mssql.log",
+        "event.kind": "event",
         "event.module": "mssql",
         "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 282,
@@ -43,9 +64,16 @@
     },
     {
         "@timestamp": "2019-05-03T09:01:09.990-02:00",
+        "event.category": [
+            "database"
+        ],
         "event.dataset": "mssql.log",
+        "event.kind": "event",
         "event.module": "mssql",
         "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 344,
@@ -56,9 +84,16 @@
     },
     {
         "@timestamp": "2019-05-03T09:01:10.000-02:00",
+        "event.category": [
+            "database"
+        ],
         "event.dataset": "mssql.log",
+        "event.kind": "event",
         "event.module": "mssql",
         "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 400,
@@ -69,9 +104,16 @@
     },
     {
         "@timestamp": "2019-05-03T09:01:10.000-02:00",
+        "event.category": [
+            "database"
+        ],
         "event.dataset": "mssql.log",
+        "event.kind": "event",
         "event.module": "mssql",
         "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 462,
@@ -82,9 +124,16 @@
     },
     {
         "@timestamp": "2019-05-03T09:01:10.000-02:00",
+        "event.category": [
+            "database"
+        ],
         "event.dataset": "mssql.log",
+        "event.kind": "event",
         "event.module": "mssql",
         "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.flags": [
@@ -98,9 +147,16 @@
     },
     {
         "@timestamp": "2019-05-03T09:01:10.000-02:00",
+        "event.category": [
+            "database"
+        ],
         "event.dataset": "mssql.log",
+        "event.kind": "event",
         "event.module": "mssql",
         "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 734,
@@ -111,9 +167,16 @@
     },
     {
         "@timestamp": "2019-05-03T09:01:10.000-02:00",
+        "event.category": [
+            "database"
+        ],
         "event.dataset": "mssql.log",
+        "event.kind": "event",
         "event.module": "mssql",
         "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 1011,
@@ -124,9 +187,16 @@
     },
     {
         "@timestamp": "2019-05-03T09:01:10.000-02:00",
+        "event.category": [
+            "database"
+        ],
         "event.dataset": "mssql.log",
+        "event.kind": "event",
         "event.module": "mssql",
         "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 1166,
@@ -137,9 +207,16 @@
     },
     {
         "@timestamp": "2019-05-03T09:01:10.000-02:00",
+        "event.category": [
+            "database"
+        ],
         "event.dataset": "mssql.log",
+        "event.kind": "event",
         "event.module": "mssql",
         "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 1289,
@@ -150,9 +227,16 @@
     },
     {
         "@timestamp": "2019-05-03T09:01:10.010-02:00",
+        "event.category": [
+            "database"
+        ],
         "event.dataset": "mssql.log",
+        "event.kind": "event",
         "event.module": "mssql",
         "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 1373,
@@ -163,9 +247,16 @@
     },
     {
         "@timestamp": "2019-05-03T09:01:10.200-02:00",
+        "event.category": [
+            "database"
+        ],
         "event.dataset": "mssql.log",
+        "event.kind": "event",
         "event.module": "mssql",
         "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 1435,
@@ -176,9 +267,16 @@
     },
     {
         "@timestamp": "2019-05-03T09:01:11.930-02:00",
+        "event.category": [
+            "database"
+        ],
         "event.dataset": "mssql.log",
+        "event.kind": "event",
         "event.module": "mssql",
         "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 1528,
@@ -189,9 +287,16 @@
     },
     {
         "@timestamp": "2019-05-03T09:01:12.030-02:00",
+        "event.category": [
+            "database"
+        ],
         "event.dataset": "mssql.log",
+        "event.kind": "event",
         "event.module": "mssql",
         "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 1599,