Skip to content

Commit

Permalink
Change event.type to auditd.message_type
Browse files Browse the repository at this point in the history
`event.type` is a reserved field in ECS so move the current field to `auditd.message_type`.
  • Loading branch information
andrewkroh committed Feb 5, 2019
1 parent 89af30d commit 4ac3343
Show file tree
Hide file tree
Showing 9 changed files with 31 additions and 12 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
FIM module. {pull}10195[10195]
- Field `file.origin` changed type from `text` to `keyword`. {pull}10544[10544]
- Rename user fields to ECS in auditd module. {pull}10456[10456]
- Rename `event.type` to `auditd.message_type` in auditd module because event.type is reserved for future use by ECS. {pull}10536[10536]

*Filebeat*

Expand Down
1 change: 1 addition & 0 deletions auditbeat/docs/breaking.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ In version 7.0 the following fields were renamed.
[frame="topbot",options="header"]
|======================
|Old Field|New Field
|`event.type` |`auditd.message_type`
|`process.cwd` |`process.working_directory`
|`source.hostname` |`source.domain`
|`user.auid` |`user.audit.id`
Expand Down
12 changes: 12 additions & 0 deletions auditbeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -302,6 +302,18 @@ This is the path associated with a unix socket.
--
*`auditd.message_type`*::
+
--
type: keyword
example: syscall
The audit message type (e.g. syscall or apparmor_denied).
--
*`auditd.sequence`*::
+
--
Expand Down
4 changes: 2 additions & 2 deletions auditbeat/module/auditd/_meta/accept.json
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
"syscall": "accept",
"tty": "(none)"
},
"message_type": "syscall",
"result": "success",
"sequence": 8832,
"session": "unset",
Expand All @@ -34,8 +35,7 @@
"event": {
"action": "accepted-connection-from",
"category": "audit-rule",
"module": "auditd",
"type": "syscall"
"module": "auditd"
},
"network": {
"direction": "incoming"
Expand Down
4 changes: 2 additions & 2 deletions auditbeat/module/auditd/_meta/data.json
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
"op": "login",
"terminal": "sshd"
},
"message_type": "user_login",
"result": "fail",
"sequence": 19955,
"session": "unset",
Expand All @@ -29,8 +30,7 @@
"event": {
"action": "logged-in",
"category": "user-login",
"module": "auditd",
"type": "user_login"
"module": "auditd"
},
"network": {
"direction": "incoming"
Expand Down
4 changes: 2 additions & 2 deletions auditbeat/module/auditd/_meta/execve.json
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
"syscall": "execve",
"tty": "pts0"
},
"message_type": "syscall",
"paths": [
{
"dev": "08:01",
Expand Down Expand Up @@ -53,8 +54,7 @@
"event": {
"action": "executed",
"category": "audit-rule",
"module": "auditd",
"type": "syscall"
"module": "auditd"
},
"file": {
"device": "00:00",
Expand Down
5 changes: 5 additions & 0 deletions auditbeat/module/auditd/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,11 @@
- name: auditd
type: group
fields:
- name: message_type
type: keyword
example: syscall
description: >
The audit message type (e.g. syscall or apparmor_denied).
- name: sequence
type: long
description: >
Expand Down
10 changes: 5 additions & 5 deletions auditbeat/module/auditd/audit_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -472,15 +472,15 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event
RootFields: common.MapStr{
"event": common.MapStr{
"category": auditEvent.Category.String(),
"type": strings.ToLower(auditEvent.Type.String()),
"action": auditEvent.Summary.Action,
},
},
ModuleFields: common.MapStr{
"sequence": auditEvent.Sequence,
"result": auditEvent.Result,
"session": auditEvent.Session,
"data": createAuditdData(auditEvent.Data),
"message_type": strings.ToLower(auditEvent.Type.String()),
"sequence": auditEvent.Sequence,
"result": auditEvent.Result,
"session": auditEvent.Session,
"data": createAuditdData(auditEvent.Data),
},
}

Expand Down
2 changes: 1 addition & 1 deletion auditbeat/module/auditd/fields.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 4ac3343

Please sign in to comment.