Skip to content

Commit

Permalink
[Auditbeat] System module: Update and re-enable package dataset (#10225)
Browse files Browse the repository at this point in the history
Re-enables the disabled `package` dataset and brings it up to date with the other, soon-to-be released datasets.

High-level changes:

- Renamed to `package` (singular)
- Scheduled state reporting based on `state.period` and `package.state.period`
- Common fields: `event.kind`, `event.action`, `event.id`, `message`
- Save/Restore package information to disk

(cherry picked from commit 1e2c30a)
  • Loading branch information
Christoph Wurm committed Jan 31, 2019
1 parent 7f27b94 commit 79936db
Show file tree
Hide file tree
Showing 18 changed files with 863 additions and 4 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,7 @@ https://github.com/elastic/beats/compare/v6.6.0...6.x[Check the HEAD diff]

- Add system module. {pull}9546[9546]
- System module `process` dataset: Add user information to processes. {pull}9963[9963]
- Add system `package` dataset. {pull}10225[10225]

*Filebeat*

Expand Down
95 changes: 95 additions & 0 deletions auditbeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -3892,6 +3892,101 @@ type: keyword
The operating system's kernel version.
--
[float]
== package fields
`package` contains information about an installed or removed package.
*`system.audit.package.name`*::
+
--
type: keyword
Package name.
--
*`system.audit.package.version`*::
+
--
type: keyword
Package version.
--
*`system.audit.package.release`*::
+
--
type: keyword
Package release.
--
*`system.audit.package.arch`*::
+
--
type: keyword
Package architecture.
--
*`system.audit.package.license`*::
+
--
type: keyword
Package license.
--
*`system.audit.package.installtime`*::
+
--
type: date
Package install time.
--
*`system.audit.package.size`*::
+
--
type: long
Package size.
--
*`system.audit.package.summary`*::
+
--
Package summary.
--
*`system.audit.package.url`*::
+
--
type: keyword
Package URL.
--
[float]
Expand Down
2 changes: 2 additions & 0 deletions x-pack/auditbeat/auditbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,7 @@ auditbeat.modules:
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- package # Installed, updated, and removed packages
- process # Started and stopped processes
- socket # Opened and closed sockets
- user # User information
Expand All @@ -123,6 +124,7 @@ auditbeat.modules:

# The state.period can be overridden for any dataset.
# host.state.period: 12h
# package.state.period: 12h
# process.state.period: 12h
# socket.state.period: 12h
# user.state.period: 12h
Expand Down
1 change: 1 addition & 0 deletions x-pack/auditbeat/auditbeat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ auditbeat.modules:
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- package # Installed, updated, and removed packages
- process # Started and stopped processes
- socket # Opened and closed sockets
- user # User information
Expand Down
7 changes: 7 additions & 0 deletions x-pack/auditbeat/docs/modules/system.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ sample suggested configuration.
- module: system
datasets:
- host
- package
- process
- socket
- user
Expand Down Expand Up @@ -86,6 +87,7 @@ so a longer polling interval can be used.
- module: system
datasets:
- host
- package
- user
period: 1m
user.detect_password_changes: true
Expand All @@ -111,6 +113,7 @@ auditbeat.modules:
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- package # Installed, updated, and removed packages
- process # Started and stopped processes
- socket # Opened and closed sockets
- user # User information
Expand All @@ -133,6 +136,8 @@ The following datasets are available:

* <<{beatname_lc}-dataset-system-host,host>>

* <<{beatname_lc}-dataset-system-package,package>>

* <<{beatname_lc}-dataset-system-process,process>>

* <<{beatname_lc}-dataset-system-socket,socket>>
Expand All @@ -141,6 +146,8 @@ The following datasets are available:

include::system/host.asciidoc[]

include::system/package.asciidoc[]

include::system/process.asciidoc[]

include::system/socket.asciidoc[]
Expand Down
21 changes: 21 additions & 0 deletions x-pack/auditbeat/docs/modules/system/package.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
////
This file is generated! See scripts/docs_collector.py
////

[id="{beatname_lc}-dataset-system-package"]
=== System package dataset

include::../../../module/system/package/_meta/docs.asciidoc[]


==== Fields

For a description of each field in the dataset, see the
<<exported-fields-system,exported fields>> section.

Here is an example document generated by this dataset:

[source,json]
----
include::../../../module/system/package/_meta/data.json[]
----
1 change: 1 addition & 0 deletions x-pack/auditbeat/include/list.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 6 additions & 3 deletions x-pack/auditbeat/module/system/_meta/config.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
{{ if false -}}
- packages # Installed packages
{{- end -}}
{{ if ne .GOOS "windows" -}}
- package # Installed, updated, and removed packages
{{- end }}
- process # Started and stopped processes
{{ if eq .GOOS "linux" -}}
- socket # Opened and closed sockets
Expand All @@ -23,6 +23,9 @@
{{ if .Reference }}
# The state.period can be overridden for any dataset.
# host.state.period: 12h
{{ if ne .GOOS "windows" -}}
# package.state.period: 12h
{{- end }}
# process.state.period: 12h
{{ if eq .GOOS "linux" -}}
# socket.state.period: 12h
Expand Down
2 changes: 2 additions & 0 deletions x-pack/auditbeat/module/system/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ sample suggested configuration.
- module: system
datasets:
- host
- package
- process
- socket
- user
Expand Down Expand Up @@ -81,6 +82,7 @@ so a longer polling interval can be used.
- module: system
datasets:
- host
- package
- user
period: 1m
user.detect_password_changes: true
Expand Down
2 changes: 1 addition & 1 deletion x-pack/auditbeat/module/system/fields.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

29 changes: 29 additions & 0 deletions x-pack/auditbeat/module/system/package/_meta/data.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{
"@timestamp": "2017-10-12T08:05:34.853Z",
"agent": {
"hostname": "host.example.com",
"name": "host.example.com"
},
"event": {
"action": "existing_package",
"dataset": "package",
"id": "9ac4ea4c-5a0c-475f-b4c9-ec9d981ff11b",
"kind": "state",
"module": "system"
},
"message": "Package zstd (1.3.5) is already installed",
"service": {
"type": "system"
},
"system": {
"audit": {
"package": {
"installtime": "2018-08-30T18:41:23.85657356+01:00",
"name": "zstd",
"summary": "Zstandard is a real-time compression algorithm",
"url": "http://zstd.net/",
"version": "1.3.5"
}
}
}
}
8 changes: 8 additions & 0 deletions x-pack/auditbeat/module/system/package/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
[role="xpack"]

experimental[]

This is the `package` dataset of the system module.

It is implemented for Linux distributions using dpkg as their package manager,
and for Homebrew on macOS (Darwin).
41 changes: 41 additions & 0 deletions x-pack/auditbeat/module/system/package/_meta/fields.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
- name: package
type: group
description: >
`package` contains information about an installed or removed package.
release: experimental
fields:
- name: name
type: keyword
description: >
Package name.
- name: version
type: keyword
description: >
Package version.
- name: release
type: keyword
description: >
Package release.
- name: arch
type: keyword
description: >
Package architecture.
- name: license
type: keyword
description: >
Package license.
- name: installtime
type: date
description: >
Package install time.
- name: size
type: long
description: >
Package size.
- name: summary
description: >
Package summary.
- name: url
type: keyword
description: >
Package URL.
30 changes: 30 additions & 0 deletions x-pack/auditbeat/module/system/package/config.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
// or more contributor license agreements. Licensed under the Elastic License;
// you may not use this file except in compliance with the Elastic License.

// +build !windows

package pkg

import (
"time"
)

// config defines the package metricset's configuration options.
type config struct {
StatePeriod time.Duration `config:"state.period"`
PackageStatePeriod time.Duration `config:"package.state.period"`
}

func (c *config) effectiveStatePeriod() time.Duration {
if c.PackageStatePeriod != 0 {
return c.PackageStatePeriod
}
return c.StatePeriod
}

func defaultConfig() config {
return config{
StatePeriod: 12 * time.Hour,
}
}
Loading

0 comments on commit 79936db

Please sign in to comment.