From aba4b89859b4395a53a09242aeaebff8f018dcbe Mon Sep 17 00:00:00 2001 From: beats-jenkins Date: Fri, 18 Jan 2019 15:25:41 +0100 Subject: [PATCH] Migrate Winlogbeat to ECS This PR is to kick of a discussion around Winlogbeat and ECS migration. --- winlogbeat/_meta/fields.common.yml | 24 +++++++++++++++++------- winlogbeat/eventlog/eventlog.go | 18 +++++++++--------- 2 files changed, 26 insertions(+), 16 deletions(-) diff --git a/winlogbeat/_meta/fields.common.yml b/winlogbeat/_meta/fields.common.yml index cceb4e91fb3..2aaa63abd2d 100644 --- a/winlogbeat/_meta/fields.common.yml +++ b/winlogbeat/_meta/fields.common.yml @@ -3,6 +3,7 @@ description: > Contains common fields available in all event types. fields: + # Is this event.type? - name: type required: true description: > @@ -31,7 +32,8 @@ activity. - name: computer_name - type: keyword + type: alias + path: host.name required: true description: > The name of the computer that generated the record. When using Windows @@ -49,7 +51,8 @@ earlier versions of Windows. - name: event_id - type: long + type: alias + path: event.id required: true description: > The event identifier. The value is specific to the source of the event. @@ -61,14 +64,17 @@ The keywords are used to classify an event. - name: log_name - type: keyword + # This does not exist yet + path: log.name + type: alias required: true description: > The name of the event log from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - name: level - type: keyword + type: alias + path: log.level required: false description: > The level of the event. There are five levels of events that can be @@ -76,7 +82,8 @@ Failure. - name: message_error - type: keyword + type: alias + path: error.message required: false description: > The error that occurred while reading and formatting the message from @@ -116,7 +123,8 @@ the event. - name: process_id - type: long + type: alias + path: process.id required: false description: > The process_id identifies the process that generated the event. @@ -138,7 +146,8 @@ operating systems) is written to this field. - name: thread_id - type: long + type: alias + path: process.thread.id required: false description: > The thread_id identifies the thread that generated the event. @@ -152,6 +161,7 @@ `event_data`. - name: user.identifier + # Is this user.id? type: keyword required: false example: S-1-5-21-3541430928-2051711210-1391384369-1001 diff --git a/winlogbeat/eventlog/eventlog.go b/winlogbeat/eventlog/eventlog.go index 1b6dcc475e1..07b022d4abe 100644 --- a/winlogbeat/eventlog/eventlog.go +++ b/winlogbeat/eventlog/eventlog.go @@ -82,30 +82,30 @@ type Record struct { func (e Record) ToEvent() beat.Event { m := common.MapStr{ "type": e.API, - "log_name": e.Channel, - "source_name": e.Provider.Name, - "computer_name": e.Computer, "record_number": strconv.FormatUint(e.RecordID, 10), - "event_id": e.EventIdentifier.ID, } + m.Put("event.id", e.EventIdentifier.ID) + m.Put("log.name", e.Channel) + m.Put("source.name", e.Channel) + m.Put("host.name", e.Computer) addOptional(m, "xml", e.XML) addOptional(m, "provider_guid", e.Provider.GUID) addOptional(m, "version", e.Version) - addOptional(m, "level", e.Level) + addOptional(m, "log.level", e.Level) addOptional(m, "task", e.Task) addOptional(m, "opcode", e.Opcode) addOptional(m, "keywords", e.Keywords) addOptional(m, "message", sys.RemoveWindowsLineEndings(e.Message)) - addOptional(m, "message_error", e.RenderErr) + addOptional(m, "error.message", e.RenderErr) // Correlation addOptional(m, "activity_id", e.Correlation.ActivityID) addOptional(m, "related_activity_id", e.Correlation.RelatedActivityID) // Execution - addOptional(m, "process_id", e.Execution.ProcessID) - addOptional(m, "thread_id", e.Execution.ThreadID) + addOptional(m, "process.id", e.Execution.ProcessID) + addOptional(m, "process.thread.id", e.Execution.ThreadID) addOptional(m, "processor_id", e.Execution.ProcessorID) addOptional(m, "session_id", e.Execution.SessionID) addOptional(m, "kernel_time", e.Execution.KernelTime) @@ -139,7 +139,7 @@ func (e Record) ToEvent() beat.Event { // MapStr. func addOptional(m common.MapStr, key string, v interface{}) { if m != nil && !isZero(v) { - m[key] = v + m.Put(key) = v } }