From 020fe5e1e702082dde298c6e391c8d9ea111857b Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Tue, 31 Mar 2020 14:28:16 -0500 Subject: [PATCH] Improve ECS categorization field mappings for mssql module. - event.kind - event.category - event.type Closes #16171 --- CHANGELOG.next.asciidoc | 1 + .../module/mssql/log/ingest/pipeline.yml | 9 ++ .../mssql/log/test/test.log-expected.json | 105 ++++++++++++++++++ 3 files changed, 115 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index ddc995820f7..b8bafbbaf1d 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -216,6 +216,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added new module `crowdstrike` for ingesting Crowdstrike Falcon streaming API endpoint event data. {pull}16988[16988] - Added documentation for running Filebeat in Cloud Foundry. {pull}17275[17275] - Move azure-eventhub input to GA. {issue}15671[15671] {pull}17313[17313] +- Improve ECS categorization field mappings for mssql module. {issue}16171[16171] {pull}17376[17376] *Heartbeat* diff --git a/x-pack/filebeat/module/mssql/log/ingest/pipeline.yml b/x-pack/filebeat/module/mssql/log/ingest/pipeline.yml index d4a0790c1b6..39a10a9ff99 100644 --- a/x-pack/filebeat/module/mssql/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/mssql/log/ingest/pipeline.yml @@ -35,6 +35,15 @@ processors: field: msg_temp target_field: message ignore_missing: true +- set: + field: event.kind + value: event +- append: + field: event.category + value: database +- append: + field: event.type + value: info on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/mssql/log/test/test.log-expected.json b/x-pack/filebeat/module/mssql/log/test/test.log-expected.json index 4f39989dc86..ed90c872d5a 100644 --- a/x-pack/filebeat/module/mssql/log/test/test.log-expected.json +++ b/x-pack/filebeat/module/mssql/log/test/test.log-expected.json @@ -1,9 +1,16 @@ [ { "@timestamp": "2019-05-03T09:01:09.990-02:00", + "event.category": [ + "database" + ], "event.dataset": "mssql.log", + "event.kind": "event", "event.module": "mssql", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.flags": [ @@ -17,9 +24,16 @@ }, { "@timestamp": "2019-05-03T09:01:09.990-02:00", + "event.category": [ + "database" + ], "event.dataset": "mssql.log", + "event.kind": "event", "event.module": "mssql", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 226, @@ -30,9 +44,16 @@ }, { "@timestamp": "2019-05-03T09:01:09.990-02:00", + "event.category": [ + "database" + ], "event.dataset": "mssql.log", + "event.kind": "event", "event.module": "mssql", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 282, @@ -43,9 +64,16 @@ }, { "@timestamp": "2019-05-03T09:01:09.990-02:00", + "event.category": [ + "database" + ], "event.dataset": "mssql.log", + "event.kind": "event", "event.module": "mssql", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 344, @@ -56,9 +84,16 @@ }, { "@timestamp": "2019-05-03T09:01:10.000-02:00", + "event.category": [ + "database" + ], "event.dataset": "mssql.log", + "event.kind": "event", "event.module": "mssql", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 400, @@ -69,9 +104,16 @@ }, { "@timestamp": "2019-05-03T09:01:10.000-02:00", + "event.category": [ + "database" + ], "event.dataset": "mssql.log", + "event.kind": "event", "event.module": "mssql", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 462, @@ -82,9 +124,16 @@ }, { "@timestamp": "2019-05-03T09:01:10.000-02:00", + "event.category": [ + "database" + ], "event.dataset": "mssql.log", + "event.kind": "event", "event.module": "mssql", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.flags": [ @@ -98,9 +147,16 @@ }, { "@timestamp": "2019-05-03T09:01:10.000-02:00", + "event.category": [ + "database" + ], "event.dataset": "mssql.log", + "event.kind": "event", "event.module": "mssql", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 734, @@ -111,9 +167,16 @@ }, { "@timestamp": "2019-05-03T09:01:10.000-02:00", + "event.category": [ + "database" + ], "event.dataset": "mssql.log", + "event.kind": "event", "event.module": "mssql", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1011, @@ -124,9 +187,16 @@ }, { "@timestamp": "2019-05-03T09:01:10.000-02:00", + "event.category": [ + "database" + ], "event.dataset": "mssql.log", + "event.kind": "event", "event.module": "mssql", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1166, @@ -137,9 +207,16 @@ }, { "@timestamp": "2019-05-03T09:01:10.000-02:00", + "event.category": [ + "database" + ], "event.dataset": "mssql.log", + "event.kind": "event", "event.module": "mssql", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1289, @@ -150,9 +227,16 @@ }, { "@timestamp": "2019-05-03T09:01:10.010-02:00", + "event.category": [ + "database" + ], "event.dataset": "mssql.log", + "event.kind": "event", "event.module": "mssql", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1373, @@ -163,9 +247,16 @@ }, { "@timestamp": "2019-05-03T09:01:10.200-02:00", + "event.category": [ + "database" + ], "event.dataset": "mssql.log", + "event.kind": "event", "event.module": "mssql", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1435, @@ -176,9 +267,16 @@ }, { "@timestamp": "2019-05-03T09:01:11.930-02:00", + "event.category": [ + "database" + ], "event.dataset": "mssql.log", + "event.kind": "event", "event.module": "mssql", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1528, @@ -189,9 +287,16 @@ }, { "@timestamp": "2019-05-03T09:01:12.030-02:00", + "event.category": [ + "database" + ], "event.dataset": "mssql.log", + "event.kind": "event", "event.module": "mssql", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1599,