[Auditbeat] Cherry-pick #10225 to 6.x: System module: Update and re-e…

…nable package dataset (#10400) Cherry-pick of PR #10225 to 6.x branch. Original message: Re-enables the disabled `package` dataset and brings it up to date with the other, soon-to-be released datasets. High-level changes: - Renamed to `package` (singular) - Scheduled state reporting based on `state.period` and `package.state.period` - Common fields: `event.kind`, `event.action`, `event.id`, `message` - Save/Restore package information to disk
elastic · Feb 1, 2019 · 33217a6 · 33217a6
1 parent 329ce20
commit 33217a6
Show file tree

Hide file tree

Showing 18 changed files with 863 additions and 4 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -142,6 +142,7 @@ https://github.com/elastic/beats/compare/v6.6.0...6.x[Check the HEAD diff]
 
 - Add system module. {pull}9546[9546]
 - System module `process` dataset: Add user information to processes. {pull}9963[9963]
+- Add system `package` dataset. {pull}10225[10225]
 
 *Filebeat*
 

diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
@@ -3892,6 +3892,101 @@ type: keyword
 The operating system's kernel version.
 
 
+--
+
+[float]
+== package fields
+
+`package` contains information about an installed or removed package.
+
+
+
+*`system.audit.package.name`*::
++
+--
+type: keyword
+
+Package name.
+
+
+--
+
+*`system.audit.package.version`*::
++
+--
+type: keyword
+
+Package version.
+
+
+--
+
+*`system.audit.package.release`*::
++
+--
+type: keyword
+
+Package release.
+
+
+--
+
+*`system.audit.package.arch`*::
++
+--
+type: keyword
+
+Package architecture.
+
+
+--
+
+*`system.audit.package.license`*::
++
+--
+type: keyword
+
+Package license.
+
+
+--
+
+*`system.audit.package.installtime`*::
++
+--
+type: date
+
+Package install time.
+
+
+--
+
+*`system.audit.package.size`*::
++
+--
+type: long
+
+Package size.
+
+
+--
+
+*`system.audit.package.summary`*::
++
+--
+Package summary.
+
+
+--
+
+*`system.audit.package.url`*::
++
+--
+type: keyword
+
+Package URL.
+
+
 --
 
 [float]

diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml
@@ -112,6 +112,7 @@ auditbeat.modules:
 - module: system
   datasets:
     - host    # General host information, e.g. uptime, IPs
+    - package # Installed, updated, and removed packages
     - process # Started and stopped processes
     - socket  # Opened and closed sockets
     - user    # User information
@@ -123,6 +124,7 @@ auditbeat.modules:
 
   # The state.period can be overridden for any dataset.
   # host.state.period: 12h
+  # package.state.period: 12h
   # process.state.period: 12h
   # socket.state.period: 12h
   # user.state.period: 12h

diff --git a/x-pack/auditbeat/auditbeat.yml b/x-pack/auditbeat/auditbeat.yml
@@ -50,6 +50,7 @@ auditbeat.modules:
 - module: system
   datasets:
     - host    # General host information, e.g. uptime, IPs
+    - package # Installed, updated, and removed packages
     - process # Started and stopped processes
     - socket  # Opened and closed sockets
     - user    # User information

diff --git a/x-pack/auditbeat/docs/modules/system.asciidoc b/x-pack/auditbeat/docs/modules/system.asciidoc
@@ -51,6 +51,7 @@ sample suggested configuration.
 - module: system
   datasets:
     - host
+    - package
     - process
     - socket
     - user
@@ -86,6 +87,7 @@ so a longer polling interval can be used.
 - module: system
   datasets:
     - host
+    - package
     - user
   period: 1m
   user.detect_password_changes: true
@@ -111,6 +113,7 @@ auditbeat.modules:
 - module: system
   datasets:
     - host    # General host information, e.g. uptime, IPs
+    - package # Installed, updated, and removed packages
     - process # Started and stopped processes
     - socket  # Opened and closed sockets
     - user    # User information
@@ -133,6 +136,8 @@ The following datasets are available:
 
 * <<{beatname_lc}-dataset-system-host,host>>
 
+* <<{beatname_lc}-dataset-system-package,package>>
+
 * <<{beatname_lc}-dataset-system-process,process>>
 
 * <<{beatname_lc}-dataset-system-socket,socket>>
@@ -141,6 +146,8 @@ The following datasets are available:
 
 include::system/host.asciidoc[]
 
+include::system/package.asciidoc[]
+
 include::system/process.asciidoc[]
 
 include::system/socket.asciidoc[]

diff --git a/x-pack/auditbeat/docs/modules/system/package.asciidoc b/x-pack/auditbeat/docs/modules/system/package.asciidoc
@@ -0,0 +1,21 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[id="{beatname_lc}-dataset-system-package"]
+=== System package dataset
+
+include::../../../module/system/package/_meta/docs.asciidoc[]
+
+
+==== Fields
+
+For a description of each field in the dataset, see the
+<<exported-fields-system,exported fields>> section.
+
+Here is an example document generated by this dataset:
+
+[source,json]
+----
+include::../../../module/system/package/_meta/data.json[]
+----
diff --git a/x-pack/auditbeat/include/list.go b/x-pack/auditbeat/include/list.go
diff --git a/x-pack/auditbeat/module/system/_meta/config.yml.tmpl b/x-pack/auditbeat/module/system/_meta/config.yml.tmpl
@@ -7,9 +7,9 @@
 - module: system
   datasets:
     - host    # General host information, e.g. uptime, IPs
-    {{ if false -}}
-    - packages # Installed packages
-    {{- end -}}
+    {{ if ne .GOOS "windows" -}}
+    - package # Installed, updated, and removed packages
+    {{- end }}
     - process # Started and stopped processes
     {{ if eq .GOOS "linux" -}}
     - socket  # Opened and closed sockets
@@ -23,6 +23,9 @@
 {{ if .Reference }}
   # The state.period can be overridden for any dataset.
   # host.state.period: 12h
+  {{ if ne .GOOS "windows" -}}
+  # package.state.period: 12h
+  {{- end }}
   # process.state.period: 12h
   {{ if eq .GOOS "linux" -}}
   # socket.state.period: 12h

diff --git a/x-pack/auditbeat/module/system/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/_meta/docs.asciidoc
@@ -46,6 +46,7 @@ sample suggested configuration.
 - module: system
   datasets:
     - host
+    - package
     - process
     - socket
     - user
@@ -81,6 +82,7 @@ so a longer polling interval can be used.
 - module: system
   datasets:
     - host
+    - package
     - user
   period: 1m
   user.detect_password_changes: true

diff --git a/x-pack/auditbeat/module/system/fields.go b/x-pack/auditbeat/module/system/fields.go
diff --git a/x-pack/auditbeat/module/system/package/_meta/data.json b/x-pack/auditbeat/module/system/package/_meta/data.json
@@ -0,0 +1,29 @@
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "action": "existing_package",
+        "dataset": "package",
+        "id": "9ac4ea4c-5a0c-475f-b4c9-ec9d981ff11b",
+        "kind": "state",
+        "module": "system"
+    },
+    "message": "Package zstd (1.3.5) is already installed",
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "audit": {
+            "package": {
+                "installtime": "2018-08-30T18:41:23.85657356+01:00",
+                "name": "zstd",
+                "summary": "Zstandard is a real-time compression algorithm",
+                "url": "http://zstd.net/",
+                "version": "1.3.5"
+            }
+        }
+    }
+}
diff --git a/x-pack/auditbeat/module/system/package/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/package/_meta/docs.asciidoc
@@ -0,0 +1,8 @@
+[role="xpack"]
+
+experimental[]
+
+This is the `package` dataset of the system module.
+
+It is implemented for Linux distributions using dpkg as their package manager,
+and for Homebrew on macOS (Darwin).
diff --git a/x-pack/auditbeat/module/system/package/_meta/fields.yml b/x-pack/auditbeat/module/system/package/_meta/fields.yml
@@ -0,0 +1,41 @@
+- name: package
+  type: group
+  description: >
+    `package` contains information about an installed or removed package.
+  release: experimental
+  fields:
+  - name: name
+    type: keyword
+    description: >
+      Package name.
+  - name: version
+    type: keyword
+    description: >
+      Package version.
+  - name: release
+    type: keyword
+    description: >
+      Package release.
+  - name: arch
+    type: keyword
+    description: >
+      Package architecture.
+  - name: license
+    type: keyword
+    description: >
+      Package license.
+  - name: installtime
+    type: date
+    description: >
+      Package install time.
+  - name: size
+    type: long
+    description: >
+      Package size.
+  - name: summary
+    description: >
+      Package summary.
+  - name: url
+    type: keyword
+    description: >
+      Package URL.
diff --git a/x-pack/auditbeat/module/system/package/config.go b/x-pack/auditbeat/module/system/package/config.go
@@ -0,0 +1,30 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+// +build !windows
+
+package pkg
+
+import (
+	"time"
+)
+
+// config defines the package metricset's configuration options.
+type config struct {
+	StatePeriod        time.Duration `config:"state.period"`
+	PackageStatePeriod time.Duration `config:"package.state.period"`
+}
+
+func (c *config) effectiveStatePeriod() time.Duration {
+	if c.PackageStatePeriod != 0 {
+		return c.PackageStatePeriod
+	}
+	return c.StatePeriod
+}
+
+func defaultConfig() config {
+	return config{
+		StatePeriod: 12 * time.Hour,
+	}
+}