Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cherry-pick #10225 to 6.x: [Auditbeat] System module: Update and re-enable package dataset #10399

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,7 @@ https://github.com/elastic/beats/compare/v6.6.0...6.x[Check the HEAD diff]
*Auditbeat*

- Add system module. {pull}9546[9546]
- Add system `package` dataset. {pull}10225[10225]

*Filebeat*

Expand Down
95 changes: 95 additions & 0 deletions auditbeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -3799,6 +3799,101 @@ type: keyword
The operating system's kernel version.


--

[float]
== package fields

`package` contains information about an installed or removed package.



*`system.audit.package.name`*::
+
--
type: keyword

Package name.


--

*`system.audit.package.version`*::
+
--
type: keyword

Package version.


--

*`system.audit.package.release`*::
+
--
type: keyword

Package release.


--

*`system.audit.package.arch`*::
+
--
type: keyword

Package architecture.


--

*`system.audit.package.license`*::
+
--
type: keyword

Package license.


--

*`system.audit.package.installtime`*::
+
--
type: date

Package install time.


--

*`system.audit.package.size`*::
+
--
type: long

Package size.


--

*`system.audit.package.summary`*::
+
--
Package summary.


--

*`system.audit.package.url`*::
+
--
type: keyword

Package URL.


--

[float]
Expand Down
2 changes: 2 additions & 0 deletions x-pack/auditbeat/auditbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,7 @@ auditbeat.modules:
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- package # Installed, updated, and removed packages
- process # Started and stopped processes
- socket # Opened and closed sockets
- user # User information
Expand All @@ -123,6 +124,7 @@ auditbeat.modules:

# The state.period can be overridden for any dataset.
# host.state.period: 12h
# package.state.period: 12h
# process.state.period: 12h
# socket.state.period: 12h
# user.state.period: 12h
Expand Down
1 change: 1 addition & 0 deletions x-pack/auditbeat/auditbeat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ auditbeat.modules:
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- package # Installed, updated, and removed packages
- process # Started and stopped processes
- socket # Opened and closed sockets
- user # User information
Expand Down
7 changes: 7 additions & 0 deletions x-pack/auditbeat/docs/modules/system.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ sample suggested configuration.
- module: system
datasets:
- host
- package
- process
- socket
- user
Expand Down Expand Up @@ -86,6 +87,7 @@ so a longer polling interval can be used.
- module: system
datasets:
- host
- package
- user
period: 1m
user.detect_password_changes: true
Expand All @@ -111,6 +113,7 @@ auditbeat.modules:
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- package # Installed, updated, and removed packages
- process # Started and stopped processes
- socket # Opened and closed sockets
- user # User information
Expand All @@ -133,6 +136,8 @@ The following datasets are available:

* <<{beatname_lc}-dataset-system-host,host>>

* <<{beatname_lc}-dataset-system-package,package>>

* <<{beatname_lc}-dataset-system-process,process>>

* <<{beatname_lc}-dataset-system-socket,socket>>
Expand All @@ -141,6 +146,8 @@ The following datasets are available:

include::system/host.asciidoc[]

include::system/package.asciidoc[]

include::system/process.asciidoc[]

include::system/socket.asciidoc[]
Expand Down
21 changes: 21 additions & 0 deletions x-pack/auditbeat/docs/modules/system/package.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
////
This file is generated! See scripts/docs_collector.py
////

[id="{beatname_lc}-dataset-system-package"]
=== System package dataset

include::../../../module/system/package/_meta/docs.asciidoc[]


==== Fields

For a description of each field in the dataset, see the
<<exported-fields-system,exported fields>> section.

Here is an example document generated by this dataset:

[source,json]
----
include::../../../module/system/package/_meta/data.json[]
----
1 change: 1 addition & 0 deletions x-pack/auditbeat/include/list.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 6 additions & 3 deletions x-pack/auditbeat/module/system/_meta/config.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
{{ if false -}}
- packages # Installed packages
{{- end -}}
{{ if ne .GOOS "windows" -}}
- package # Installed, updated, and removed packages
{{- end }}
- process # Started and stopped processes
{{ if eq .GOOS "linux" -}}
- socket # Opened and closed sockets
Expand All @@ -24,6 +24,9 @@
{{ if .Reference }}
# The state.period can be overridden for any dataset.
# host.state.period: 12h
{{ if ne .GOOS "windows" -}}
# package.state.period: 12h
{{- end }}
# process.state.period: 12h
# socket.state.period: 12h
# user.state.period: 12h
Expand Down
2 changes: 2 additions & 0 deletions x-pack/auditbeat/module/system/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ sample suggested configuration.
- module: system
datasets:
- host
- package
- process
- socket
- user
Expand Down Expand Up @@ -81,6 +82,7 @@ so a longer polling interval can be used.
- module: system
datasets:
- host
- package
- user
period: 1m
user.detect_password_changes: true
Expand Down
2 changes: 1 addition & 1 deletion x-pack/auditbeat/module/system/fields.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

29 changes: 29 additions & 0 deletions x-pack/auditbeat/module/system/package/_meta/data.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{
"@timestamp": "2017-10-12T08:05:34.853Z",
"agent": {
"hostname": "host.example.com",
"name": "host.example.com"
},
"event": {
"action": "existing_package",
"dataset": "package",
"id": "9ac4ea4c-5a0c-475f-b4c9-ec9d981ff11b",
"kind": "state",
"module": "system"
},
"message": "Package zstd (1.3.5) is already installed",
"service": {
"type": "system"
},
"system": {
"audit": {
"package": {
"installtime": "2018-08-30T18:41:23.85657356+01:00",
"name": "zstd",
"summary": "Zstandard is a real-time compression algorithm",
"url": "http://zstd.net/",
"version": "1.3.5"
}
}
}
}
8 changes: 8 additions & 0 deletions x-pack/auditbeat/module/system/package/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
[role="xpack"]

experimental[]

This is the `package` dataset of the system module.

It is implemented for Linux distributions using dpkg as their package manager,
and for Homebrew on macOS (Darwin).
41 changes: 41 additions & 0 deletions x-pack/auditbeat/module/system/package/_meta/fields.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
- name: package
type: group
description: >
`package` contains information about an installed or removed package.
release: experimental
fields:
- name: name
type: keyword
description: >
Package name.
- name: version
type: keyword
description: >
Package version.
- name: release
type: keyword
description: >
Package release.
- name: arch
type: keyword
description: >
Package architecture.
- name: license
type: keyword
description: >
Package license.
- name: installtime
type: date
description: >
Package install time.
- name: size
type: long
description: >
Package size.
- name: summary
description: >
Package summary.
- name: url
type: keyword
description: >
Package URL.
30 changes: 30 additions & 0 deletions x-pack/auditbeat/module/system/package/config.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
// or more contributor license agreements. Licensed under the Elastic License;
// you may not use this file except in compliance with the Elastic License.

// +build !windows

package pkg

import (
"time"
)

// config defines the package metricset's configuration options.
type config struct {
StatePeriod time.Duration `config:"state.period"`
PackageStatePeriod time.Duration `config:"package.state.period"`
}

func (c *config) effectiveStatePeriod() time.Duration {
if c.PackageStatePeriod != 0 {
return c.PackageStatePeriod
}
return c.StatePeriod
}

func defaultConfig() config {
return config{
StatePeriod: 12 * time.Hour,
}
}
Loading