Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unify the Auditbeat Event Schema #5423

Closed
andrewkroh opened this issue Oct 23, 2017 · 5 comments
Closed

Unify the Auditbeat Event Schema #5423

andrewkroh opened this issue Oct 23, 2017 · 5 comments
Labels
Auditbeat enhancement

Comments

@andrewkroh
Copy link
Member

In order to make it possible to correlate data produced by one module with data from another module we need to ensure that a common set of field names is used by all modules (e.g. common data like user ID should be called uid rather than audit.kernel.uid and audit.file.uid).

I'd like to review the field names and make changes where possible.
@andrewkroh andrewkroh mentioned this issue Oct 24, 2017
Closed
9 tasks
@ruflin
Copy link
Contributor

ruflin commented Nov 5, 2017

WDYT of instead of using a global uid having user.id? Or could we put uid under unix namespace as uid is pretty unix typical: unix.uid. I kind of like uid as a name as it's very common but would prefer not to have it in the global namespace. gid would fit in the same bucket.

@andrewkroh
Copy link
Member Author

I like the notion of group all the user related info under user. I think user.id would work. And on *nix this is the UID and on Windows this is the SID.

@andrewkroh
Copy link
Member Author

I started a spreadsheet to map out some possible field renames.

andrewkroh added a commit to andrewkroh/beats that referenced this issue Jan 5, 2018
@andrewkroh
Rename file integrity fields
0fa17bd 
This creates three groups of fields in the file integrity module `event`, `hash`, and `file`.

It also changes `dataset.module` to `event.module` for all modules.

elastic#5423
ruflin pushed a commit that referenced this issue Jan 9, 2018
@andrewkroh @ruflin
Rename file integrity fields (#5995)
259d6ac 
This creates three groups of fields in the file integrity module `event`, `hash`, and `file`.

It also changes `dataset.module` to `event.module` for all modules.

* Update field test to account for Windows
* file.mode and file.gid aren't populated for Windows.
* Use multi-field for file.origin

Related to #5423
@ruflin
Copy link
Contributor

ruflin commented Jan 9, 2018

@andrewkroh With #5995 I'm not sure if this is completed or if this was only the first step.

@andrewkroh
Copy link
Member Author

That was only half of it. I'm working on changes to the auditd data.

@andrewkroh andrewkroh mentioned this issue Jan 16, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Auditbeat enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ruflin @andrewkroh