From 4ac334337071879c67bafe617ad2fec176ccab8d Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Mon, 4 Feb 2019 11:33:32 -0500 Subject: [PATCH 1/2] Change event.type to auditd.message_type `event.type` is a reserved field in ECS so move the current field to `auditd.message_type`. --- CHANGELOG.next.asciidoc | 1 + auditbeat/docs/breaking.asciidoc | 1 + auditbeat/docs/fields.asciidoc | 12 ++++++++++++ auditbeat/module/auditd/_meta/accept.json | 4 ++-- auditbeat/module/auditd/_meta/data.json | 4 ++-- auditbeat/module/auditd/_meta/execve.json | 4 ++-- auditbeat/module/auditd/_meta/fields.yml | 5 +++++ auditbeat/module/auditd/audit_linux.go | 10 +++++----- auditbeat/module/auditd/fields.go | 2 +- 9 files changed, 31 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 7bae58822c60..5eda7f8d8a81 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -40,6 +40,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d FIM module. {pull}10195[10195] - Field `file.origin` changed type from `text` to `keyword`. {pull}10544[10544] - Rename user fields to ECS in auditd module. {pull}10456[10456] +- Rename `event.type` to `auditd.message_type` in auditd module because event.type is reserved for future use by ECS. {pull}10536[10536] *Filebeat* diff --git a/auditbeat/docs/breaking.asciidoc b/auditbeat/docs/breaking.asciidoc index 056bf5877dd3..2d179749fa6b 100644 --- a/auditbeat/docs/breaking.asciidoc +++ b/auditbeat/docs/breaking.asciidoc @@ -7,6 +7,7 @@ In version 7.0 the following fields were renamed. [frame="topbot",options="header"] |====================== |Old Field|New Field +|`event.type` |`auditd.message_type` |`process.cwd` |`process.working_directory` |`source.hostname` |`source.domain` |`user.auid` |`user.audit.id` diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index 15f65dda37e8..b4130f9c1653 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -302,6 +302,18 @@ This is the path associated with a unix socket. -- +*`auditd.message_type`*:: ++ +-- +type: keyword + +example: syscall + +The audit message type (e.g. syscall or apparmor_denied). + + +-- + *`auditd.sequence`*:: + -- diff --git a/auditbeat/module/auditd/_meta/accept.json b/auditbeat/module/auditd/_meta/accept.json index 89bef81fb123..7d300556af33 100644 --- a/auditbeat/module/auditd/_meta/accept.json +++ b/auditbeat/module/auditd/_meta/accept.json @@ -15,6 +15,7 @@ "syscall": "accept", "tty": "(none)" }, + "message_type": "syscall", "result": "success", "sequence": 8832, "session": "unset", @@ -34,8 +35,7 @@ "event": { "action": "accepted-connection-from", "category": "audit-rule", - "module": "auditd", - "type": "syscall" + "module": "auditd" }, "network": { "direction": "incoming" diff --git a/auditbeat/module/auditd/_meta/data.json b/auditbeat/module/auditd/_meta/data.json index d60269f9fdc7..7b9b6814b477 100644 --- a/auditbeat/module/auditd/_meta/data.json +++ b/auditbeat/module/auditd/_meta/data.json @@ -10,6 +10,7 @@ "op": "login", "terminal": "sshd" }, + "message_type": "user_login", "result": "fail", "sequence": 19955, "session": "unset", @@ -29,8 +30,7 @@ "event": { "action": "logged-in", "category": "user-login", - "module": "auditd", - "type": "user_login" + "module": "auditd" }, "network": { "direction": "incoming" diff --git a/auditbeat/module/auditd/_meta/execve.json b/auditbeat/module/auditd/_meta/execve.json index 5adb678e8a7f..72fb54621da9 100644 --- a/auditbeat/module/auditd/_meta/execve.json +++ b/auditbeat/module/auditd/_meta/execve.json @@ -11,6 +11,7 @@ "syscall": "execve", "tty": "pts0" }, + "message_type": "syscall", "paths": [ { "dev": "08:01", @@ -53,8 +54,7 @@ "event": { "action": "executed", "category": "audit-rule", - "module": "auditd", - "type": "syscall" + "module": "auditd" }, "file": { "device": "00:00", diff --git a/auditbeat/module/auditd/_meta/fields.yml b/auditbeat/module/auditd/_meta/fields.yml index 162dbba1f0ca..ebc7424c24cc 100644 --- a/auditbeat/module/auditd/_meta/fields.yml +++ b/auditbeat/module/auditd/_meta/fields.yml @@ -135,6 +135,11 @@ - name: auditd type: group fields: + - name: message_type + type: keyword + example: syscall + description: > + The audit message type (e.g. syscall or apparmor_denied). - name: sequence type: long description: > diff --git a/auditbeat/module/auditd/audit_linux.go b/auditbeat/module/auditd/audit_linux.go index f107819a8932..c2582fef62fd 100644 --- a/auditbeat/module/auditd/audit_linux.go +++ b/auditbeat/module/auditd/audit_linux.go @@ -472,15 +472,15 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event RootFields: common.MapStr{ "event": common.MapStr{ "category": auditEvent.Category.String(), - "type": strings.ToLower(auditEvent.Type.String()), "action": auditEvent.Summary.Action, }, }, ModuleFields: common.MapStr{ - "sequence": auditEvent.Sequence, - "result": auditEvent.Result, - "session": auditEvent.Session, - "data": createAuditdData(auditEvent.Data), + "message_type": strings.ToLower(auditEvent.Type.String()), + "sequence": auditEvent.Sequence, + "result": auditEvent.Result, + "session": auditEvent.Session, + "data": createAuditdData(auditEvent.Data), }, } diff --git a/auditbeat/module/auditd/fields.go b/auditbeat/module/auditd/fields.go index 28eb9116ecfb..72019a96aa12 100644 --- a/auditbeat/module/auditd/fields.go +++ b/auditbeat/module/auditd/fields.go @@ -32,5 +32,5 @@ func init() { // AssetAuditd returns asset data. // This is the base64 encoded gzipped contents of module/auditd. func AssetAuditd() string { - return "eJzMXUuPJDdyvs+vIHQZCdC05JXhwxwWmJV8aFi2BUtj2DCMGjYzMovTTDKHZFZ17a83go9M5qsqo3q8WB0G6upi8BXxxRfBIPsde4bLe8b7SvrqDWNeegXv2Yf8cwVOWNl5afR79scRHDBugfkjsFqCqhxrQIPlHir2dAmfR1msNVWv4OENS198/+YNY++Y5i28Z70D+4Yxxvylg/essabvws/5u/j/+cu8l1X4IH+dK8ld+qTj/hjlPYSOH4bvtrKxPA7c2x4mIndK3CULdgqDugbh5Qn2ia3dTrm1VOAuzkO7T/BeuY6foNonstknMWzzzkXdKXJcVIJwt1N4XAGC4Hqv5GLPCOLx30PLu0kPo+3MrPXP6UPGHmv2yYIz6gQHWblPTDrmwDNvQh9M6mC4wuhaNn3sHj/R7FPu8tMg7CyVwq96LjXjrOVdJ3XDTI1GFe03DNQF8Udgqef46SDmW3hoHoJps3d/ZtYY/91D+mWJAasosLa4K0gw6W9tXdfw4KZsglQgiB0VmdBBiRE3eyh0jtAFpYdoLwThzX7Z0Uwoi08QPkcRyvoQuinxhLTLhD4WyHKzo2EmoKTuX/aByx9HYL//86/YgMkKtJf+ghgQCIDwxl435sH/j109w+Vs7DjPSXdcCNNrz1z/1EqPZKM2lvEeQcpLEaY068IaBZQucEhv3TCponmWWJmWS02R+UdejUJwlMKMDQIeZn0oOIG60QW88LZDluZ+3N9tEDzvTXAPjbGX184py8FZCdN23PoWtHcPJefrrBHg3Crtm/TwW/wi495b+dR7cA+b3FCcb/nb1O3D2dhnqZtDJS3g8C9XHO7KlEVvLWjPkhg2iJnM0ZneCrg9xd/D95g/cs+8lU0DFqpgPHAC7bfni3N6s71Xs2FLh64exWI7xp0zQgaufpb4M+u1fGHOiGfwk3lU4LzUo1ldncwv45cZryqLe/d3O7Mh0tkXezj40oMWMBmZMrq5zrhQY3JTpvv2CWxGx7AMjDscs2z0GDc9g9WgHtjv0y5Zau9C4OW8wfXE5qyX2v/0p8zeYnPGdcUE14hfypwg4fA4HedGqLy5zvMJhcbs8Zdx7N4wzpRppH5gH5SKs3PMggqbMf56kJSlBB555KcYTDreAjtx1cN0wBZcr/yV8Y5g2IuAGsaymku1ZcdR4OCqUBugYqaDRHu/TXJ+QCHfBdUpyVDb8gE5li5yg7kiTswgtmy1BbBZw9EzrRlUGHxpVsshlOgri6FvY/2mBmQtSII2vP7ENLObMFY2UnM10wT87/GXB/boozJo45k4ct1EI2GyHqcfPw8xBdfGH8FmTvCwmKoDYXR1x2SjkqfGNyd46aTgSl0m8xl0mSd0iqv1PYMXAZ0PtOWMkdUwsyN3+D8V++T6T3MHbZ4+g/D7dafcrnIn/DHEaDYJZE+AP3OBut93RmcQ2alMOI7XadKH8pd5hc9Bx4/Avgnj/QZHH+NEZLXfJzj/fiII1/BdwpTvlrpwp9p/883X06pBVpZ0NGcK4VrsafztEziUlFUzQCp3rANbG9tC9cA+uh71Ezd/UAR4KTcu0rUWfUbAFxQQVQNeQPQBwTcd+cJ7u32hw6/SBfwNTRaee6GF65gqtalI9D40SK50zuvhRJFUwUmiV09WXpteV2g/P4xyCvM9UEOdhbqgEGowsyqEHr+sitkTotyUMkGQu2Qs8xJXBSCCMHPWYCPsPv4yjxeJaoCKmlQheopagmXfug6E5Cr055jR6vLdrCP8lzr9Z6krtJk4i4GsRFu1UINFxljN12iZN9i7RsF6l4skPbQUieejFMfQCgEoD1cYWy0G2xINGr/PasUbXGXGw+BXVpo8/2DXUjN+Em6KcRX3fB/EIZHAb7Pamrbgai04x5scz17hiyNH3zVwDb6WyoNlHUcXySrpOuPkSlqklXpBRvfAXWi3jp9cLCjK9WROzrXkrE6xT4PMqiKNMiaaW+NhFoJmmiUdE0ZrEB51EPdl1qOQ3ZGG1EFTTM2EvXTeJAHMgQLkVXPLIVli1dtI0OICJfY7EwnaWwmONOQhFE2NM/EbNcjzp4UhIfxQunFgT9iNZUJJDHelzqs0gNe8Cyf/SoNEuDBsEyj1DeGuoy2/wzGnxNESBLkVR6pugqpDO+lB+N4m5FoIbgRV8Lij3DZ9yLrFIClQuBMwd3EYpsxhgH++Dwaw3ToM9FqSYCBmqauy3RBfFDpIBMDQdA1RPNgWg1DSAqc20dRLLLG91mihnTWN5S36oFl/jeXaG0syz4636dzcMd511pywj5Hhz4lryEESfcXQqICuLbsxHVUd59xkCEciHEuXUy7z3fGkJLT3F9YnlaRty9Qc9ioqNsmmJjWL50VjIB9zekaEJPF8agVt2Jdg/+O/mYeXuU3UvJWKtEgFK7DGG2GWIECCm6Qs//rhZ8ZVY6z0x3bL3XU1TfHBhhWtjT1zW2GwbUFcWAv+aBau1ENLkj7FyZAwjiTUTfIeczT+8VUBCv+H1zX/0+ua//Sq5kfjPJU94zrmdlTypTpjSc5DGYGwDP5s7DMrWg/hHFViYo/YbN2/wQvZvwXYwHZMjNHNYNAkcE3Gh6ynlroJRi0XOquovHm6jok6L9jTXZuzvZKCd/xJKknDfAxoXsa2csGHNbfNK3Bhyp9SspGtcCcN53egkWeQSKWGc8D2lLaPApgDj0YxN1/8zuGJi2dlmoOSLU31YheRYL11LMlhX3rogRVEuyASdAph7GWNZwneHWjJjUy0hyqMQkHYWO5UJgpo/htEb4MsbJmISUi5Y+hwkgvs0HA+dCTrxL3N0+iQNIYahavTMKq6R4s6CyE62atJZqVu6moH8YTgrYuHNRvJMqNoMlUVD/dmYp641kCjyKlJ3D+jIwpCxTreLAAWOIZatKAyHKKmlklVYvQ9ZyGn9p3wL1S4OaE9CqOR4DHn7cqGEWPVYb8241UHqJKkVc6FHUGXw9mKK+xmIX9ySkvq4MN//swqEDIcCYeQCaofKtBy0Quirh1Wi5ypNzWzuskHX1WF1m9Nyzg7zckIWqYG0nSyVQZunPJP5Rn5og8nGzgd8AuGBGWyCeHomleVNFFXDkSMqg6ga2OFpC042jkuQWwM6E2Z89z3c1eNS3wSXX/PGo8e++ffPjJh7IIIWLRXiuih9oul4q9CQFGJQKOTV+sMpmUGc+9fVURqMSwJOqJ49FCBXwvMak5K4CcWlHV6EoQOlqn08zsianWyisP1SurnnLZ2oKuFNrr+6TOJfbquC40iLF4FW/4/P7776X+pID5niqsZNjE9pt+V/fFHlBhbYmjqLq6eK3d0UXSn9taxE9iAs+tGL0xLUg0zrnA8QlZSr2beELmJeFriaILsa2ia3dSJZPVD/WpIA4wyyqOoYTcVd1T7jzV+oeX14YeSSdL6SHeIjQ6eu+dpldRg6ZIiMZx9DaOU+ghW3uSwU2ZEhKrUOMLVnOM7kt+JdYAXZXg1QdyU5plHO189NYAa7oB60o9YnXWwaDv68xNXsjokALtHs6dNh/kT835p+oVNzkfavVAN/PG3/xqyDutshhi2yE6MiLQetLRchEQoRSz4I6Knzx4Km7DHX+LJ7RxB7/BTqR7rqpOSRN/6+FvIOTeWt6y2vAk0bKxRWNFdWrI2QEVMLkz49Bq0nVoqMwgR0mYsE7ILJGDLonZCGjJTasjcWThJ07t4nWkt0DWOxh4HTR5rbufoTq/syJ9sHeBJYrnIxOQ2CkZQuyrpnklhm3TPNxWr43ZM2e92EmXQkz1FlLRWP6KAdLKmQDdDDfuw87XitBiqAz3kjtdOiXuidnL28ePSjojVNg4EEo5cabiSzg5RQGOJabNI/6PybOWKD7RMedD1nUk4VM+WVtKEXpu3oSzD1KyF1tgL8sd/+cs8bglpl3vc9ph1SWZQgZBVyHfN+rgrSscZ7IrScXXEkVMr41A+NuPCg81JmB0sHqH3a2V4kLOcruV4ei9rkln2nkntwdZcbKRNREuyyxw2TQtuZzKPxpCwczzzxZbxGC5RF4GLtHL2hrtMrunEPba9ntxXGxSf6j9DWudautlJklZcy5JNT1bOXPqDl7SDzo3TFZTFClmDpwoZalJkkJqsBdNoJETEyomzXahFxaz4EkRG3BK0VjLFRlVE9mZURWVwCGV37GfFoQ2erbwEHwNrnE0pdeBgxra0uD12pUzz1k1bl0dPRBqGppjZ1wxmZ8L9HaFkuD3CbQM+XOQpsz5XQpaWk0Kh28VlZ+5pRXfTWt7YfiMdEDq/0+vMZBH5T+I9SzlPxtDgODnAzCCwPfA5W5Ci7Q6eWHoeIl5Th8a5gHlFaZURREd1jpFSKGtP522FkAlkjE5rrxOMZSHWtNKJHnGioOFj3TJpjXm8XxjqzpFr5ATfVU4jqXy4rMMIVQkz/zE5oyZBaXlGvRNKK6h5r/y7O3AjNQ1Ecz0NFWIxKtgNQJeCtyAEkemsVzMb6OQ77tyZDKlROWtjw1F7kGFshdjdLPEu7AaxYvVMLXzIpXb3bEfm/Bm1S6WdXgqeBF4nGm8pM0Nloc71k4ci8qZB+2ITiEsSjW07r1mUhuw7aEm3dLBdz5X8665bOiGlRTsooleakI9EM2kc3sNYPxK1xExywsyrNCWc9FPHWybT18Zqnj6/BmsmF3FHZk/MJheOaa0eFzfqFcmyScy78EQx8Km5VMSamFm4kySsHZJJTYuppb4VUp9Ifj/ZHWu5OG6cRZYJtV0y25Z3V9NxIe9FPFUfjr2THmyWYbw6M39dJ7AHYmZ6yHU7hPWVVLeDL8Saluk7GfMN+5u4oC9PF09bhzH57diXng8vBZSCxiWhHg3OC1JCWqS4Zzdx0nTnOXj/ncwDEZlaroOAfLtUBzWQnHwyqtpMPoV4geRNyxTDTo9aUcus0xHq428bTCO4aOId74WHXr5YJY3wipiWjI+kfOnB+aHQJT/lF+Rt1Ls44qlyLBLfJl+867htaZfUcpt0IUfqmGNZktu/gc2gKh1aTvPm80watp8/wZCTGWt3VohgHnOum2eMAV3oVSR7T1qfPh+IieKUHd4kZBa4o92GK1JYrAJtQq6PJ0Eh+tu8faekI2fS5lwqpupR0nYlJjWzknFhT3blqaddH05pJtc/ZZbRu3C8UlJ7ZXTj2MCMJ8hMsrsSmQmeigqkk9BhCaL/T9mn3pIs6+N/PLLOSB0UNJQdrueFIs2/42JBqZrurUvXCn6opAs3ajfLeO/LsEyVdGeWJdJVKpea+8mVUquOJlHlU1pnNC+uMQ0ofGeefWfRqicXI44J/FRuhAJkvf5wJpFwl6cnt2pMNZBePorKEQMZB+EVgemdjmHItGvd4clyKZL8tReIti5Ey7a5+9ZHiNRlyxu4cQFEVfecumc1X5y83zpzPxBXL7+EOfiX64cOqdCd0sP5GMruok2k0PvMXRZV94oZy7RZzyjfzyluJZRTME1yBkMEVIECv1HuGqvsZ3Kn9eOb7/qVtaxbQ1qh+EUx68oLepP4hiDV8vP8yoDztg9PXiy7ubuXyUMvS7mzq/LbkofHI3stX671mOYUBbNv8evfM9md/jH8+0/f54zO2gt047umhEnS3jct+8tvDL0p+yu80aSj8W25D5oZW4UAQ6UH2nza0CyRWRAgh2xS8egoRiiDpDNYiNfzvEGkiwoQX6GrjAgBZXpGMb4WL90AXrIOL5dYW8R9+VmFTAXzkxjhgSVjsc0nqYXqKzhYfj6k4eZX7gc5k1fup2t25lZL3UzXbLpHG8uGypFbL/8Uxl+A+/yWT+o7rkbx6OHsycXxb2wk5hWE5dM0rqvwu+H2agUnUKYLQTr+soKnfqyV6XrbGZfeIZs8g9uASUeTc7BZnShOMzTJf/UjDBBqqfNjtMLoE2gZEnlSM8EdsIvpU+naGA2AtlIcxw3sXYy4svQQEEnNfjWN89wdcYcfdQPOs38zFSzfDy5rGpEdg/YHTXy6YPrE4lhPlvYsSl08ni395ev2JP1l3omFRhr9VbuJIhezMb329nKQzhyoxaFlbz9HOezx938PVaKLB87NhHQO+gfmEMKbffPBEFP6voKg9Ir78MPDm/8LAAD//0hzBxs=" + return "eJzMXVuPHLdyftevIPwiG7DWznGQBz0cQMfOwyJOIsRSkCAIRlyyuofabrJFsmd2zq8Pipdu9m2ma6QcHD8I3tlh8Vb11VfFIvcNe4bLW8Z7qbx8xZhXvoG37F3+WYITVnVeGf2WfTiCA8YtMH8EVilopGM1aLDcg2RPl/B5lMVaI/sGHl6x9MW3r14x9oZp3sJb1juwrxhjzF86eMtqa/ou/Jy/i/+fv8x7JcMH+eu8UdylTzruj1HeQ+j4Yfhuq2rL48C97WEicqfEXbJgpzCoKhBenWCf2MrtlFupBtzFeWj3Cd4r1/ETyH0i630SwzbvXNSdIsdFJQh3O4XHFSAIrvZKLvaMIB7/PbS8m/Qw2s7MWv+cPmTssWKfLDjTnOCgpPvElGMOPPMm9MGUDoYrjK5U3cfu8RPNPuUuPw3Czqpp8KueK804a3nXKV0zU6FRRfsNA3VB/BFY6jl+Ooj5Hh7qh2Da7M2fmTXG//CQflliwCoKrC3uChJM+ltb1zU8uCmbIBUIYkdFJnRQYsTNHgqdI3RB6SHaC0F4vV92NBPK4hOEz1GEsj6Ebko8Ie0yoY8FstzsaJgJNEr3L/vA5cMR2B///Ds2YEqC9spfEAMCARDe2OvGPPj/satnuJyNHec56Y4LYXrtmeufWuWRbFTGMt4jSHklwpRmXVjTAKULHNJrN0yqaJ4lStNypSkyP+TVKARHKczYIOBh1kcDJ2hudAEvvO2Qpbmf93cbBM97E9xDbezla+eU5eCshGk7bn0L2ruHkvN11ghwbpX2TXp4H7/IuPdWPfUe3MMmNxTnW/42dftwNvZZ6foglQUc/uWKw12ZsuitBe1ZEsMGMZM5OtNbAben+Ef4HvNH7pm3qq7BggzGAyfQfnu+OKdX23s1G7Zy6OpRLLZj3DkjVODqZ4U/s16rF+aMeAY/mYcE55UezerqZH4bv8y4lBb37u92ZkOksy/2aME5XsMBv3tldKNJXpzgTXOdj33IUVIWH2QmSpQkoCnxruO2NfYgQSuQiSCNeP2lBy2mw2qMrm93npsy3bdPYDNwhx1i3OFyqlqPId0zWA3NA/tj2iVL7V2ICZ03uNXYnPVK+1/+lIllbM64lkxwjdDamBPY+XScG1H8pgrMJxQas8ffxrF7wzhrTK30A3vXNHF2jllogp6Mvx4kZSmB4h75Kca5jrfATrzpYTpgC65v/C6l6EUANGNZxdWqcnyIRLlv/OBFUUFAMtNBYuTfJzk/oZAfglaXPK1t+QBqS++9QaoRwmboX7bawv5sfOg012w9andh8cshlI5BFUPfWs0rGpC1IAnaICQT1MgezFhVK82bmSbgf4+/PbBHH5VBG8/Ekes6GglT1Tj9+HkId7g2/gg205WHxVQdCKPlHZONSp4a35zgpVOIIZfJfAZd5gk442r9yOBFQOcDozpj0DfM7Mgd/o9kn1z/ac4dzNNnEH6/7pTbVe6EP4bw0SaB7AnwZy5Q9/vO6AwiO5WpAOo7Neld+cu8wueg40dg34Xxfoejj3iNhPvH5Gl+nAjCNXyTMOWHpS7cqfbffffttGqQlSUdzZnCBRd7Gn/7BA4lZdUMkMod68BWxrYgH9hH16N+4uYPigAv5cZFJtmizwj4ggKiasALiD4g+CbHWBALty+q+V25gL+hyYJULLRwHVOVNpIUeYQGyZXOQw44USRJOCn06snKK9Nrifbz0yinMN8DNQpbqAsKocZZq0LoodWqmD3R000pEwS5S8YyZXJVACIIM2cNNsLu42/zUJaoBqioSRWip6gUWPa960Ao3oT+HDO6ufww6wj/pU7/WWmJNhNnMZCVaKsWKrDIGOV8jZYpjb1rFKx3uUjKQ0uReD4qcQytEIDycIWxcjHYlmjQ+H1WNbzGVWY8DH5lpcnzD3atNOMn4aYYJ7nn+yAOiQR+m1XWtAVXS5GIu5GEFUWmZdfANfhKNR4s6zi6SCaV64xTKxmbVukFGd0Dd6HdOn5ysaAo1/NMOQ2UE07FPg0ypSSNMubAW+NhFh1nmqUcE0ZrEB51EPdl1qNQ3ZGG1EFTTMWEvXTeJAHMQQPIq+aWQ7JE2dtI0OICJfY7EwnaWwWONOQhFE2NM/EbNcjzp4UhIfxQunFgT9iNZaJRGO4qnVdpAK95F079lQaJcGHYJlDqG8JdR1t+h2NOOa0lCHIrjlTdhKYK7ZQH4XubkGshuBZUweOOclv3ISEYg6RA4U4wS5YMMMA/3wcD2G4dBnqtSDAQE+iybDfEF4UOEgEwNF1DFA+2xSCUtMCpTTT1EktsrzVaaGdNbXmLPmjWX2259saSzLPjbTrSd4x3nTUn7GNk+HPiGtKjRF8xNCqga8tuTEdVxzk3GcKRCMfK5ZTLfHc8KT/u/YX1SSVp2zI1h72KGpKFydSUZvEoawzkY07PiJC/nk+toA37cv8f/pt5eJnbRMVb1ZAWqWAF1ngjzBIESHCTlOVf3/3KeFMbq/yx3XJ3XUVTfLBhRStjz9xKDLYtiAtrwR/NwpV6aEnSpzgZctmRhLpJ3mOOxj9/VYDC/+Hrmv/p65r/8lXNj8Z5KnvGdcztqOSr6YwlOY/GCIRl8Gdjn1nRegjnqBITe8Rm6/4NXsj+LcAGtmNijG4GgyaBazI+ZD2V0nUwarXQ2YbKm6frmKjzgj3dtTnbKyl4x59Uo2iYjwHNy9hWLfiw5rb+ClyY8qeUbGQr3EnD+Q1o5BkkUqnhHLA9pe2jAObAo1HMzRe/c3ji4rkx9aFRLU31YheRYL12LMlhX3rogRVEuyASdAph7GWNZwneHWjJjUy0hwKRQkHYWIlVJgpo/htEb4MsbJmISUi5Y+hwUgvs0HA+dCTrxL3N0+iQNIbyiavTMI28R4s6CyE62atJZqWk62oH8YTgtYuHNRvJMtPQZDYyHu7NxDxxrYFGkVOTuH9GRxQEyTpeLwAWOIZatKAyHKKmlklVYvQ9ZyGn9o3wL1S4OaE9CqOR4DHn7cqGEWPVYb8241UHqJKkVc41J0GXw9mKK+xmIX9ySkvq4N1//sokCBWOhEPIBPKneBK/grp2WC1ypt5UzOo6H3xJidZvTcs4O83JCFqmBtJ0slUGbpzyT+UZ+aIPp2o4HfALhgRlqg7h6JpXVTRRVw5ETCMPoCtjhaItONo5LkFsDOhNmfPc93NXjUt8El1/zxqPHvvX9x+ZMHZBBCzaK0X0UJbGUl1aIaCoRKDRyat1BtMyg7n3l5JILYYlQUcUjx4k+LXArOKkBH5iQVmnJ0HoYJmNfn5DRK1OyThc3yj9nNPWDrRcaKPrnz6T2KfrutAowuJVsOX/8/ObX/6XCuJzpriaYRPTY/pd2R9/RImxJYam7uKquXJHF0V3aq8dO4ENOLtu9MK0JNUw4wrHI+RG6dXMGyI3EU9LHE2QfQ1Ns5s6kax+KK0NaYBRRnkUNexmwx3V/mP5YWh5ffihmpO0PsodYqOD5+55WiU1WLqiSAxnX8MolT6CVTc57JQZEaEqNY5wNef4juR3YonipTFcThA3pXnm0c43Tw2ghjugnvQjVmcdLNqO/vzEGyUPCcDu0exp02H+xLxfmn5hk/ORdi9UA398/19D1mGdzRDDFtWJEZHWg5aWi5AIpYgFf0T09NlDhRrSx9/iye0cQe/wU6ke66qTUkTf+vg+5Jxry1tWWV4HGjbWKKzoLi1ZG6AiJhcmfHoN2k4tlRmECGkzlgnZBRKwZVE7IQ2ZKTVk7iyclOldvGm1FugaR2OPgyaPNbdzdKdXduRPtg7wFLFcZGJyGwUjqF1SuWdS2Kbc803F6rgdU/a7nUQZ9GRPESWt1Y80QDpZa0DXQ3n9sPNVw2kxVAd6yB2vnRL3RO3k7OPHpR0Rq20cCCQcudJwJZ0dooDaEtNmkf5H5dnKFR9omfKg6zuTcKieLa2kCb02b0NZhqlYC62xF+SP//KXedwS0i73uO0x65LMQIJQMuS7Zn3cFaXjDHZF6bg64siplXEoH5tx4cHmJMwOFo/Q+60yPMhZTtdyPL1XFckse8+U9mArLjbSJqIl2WUOm6YFtzOZR2NI2Dme+WLLeAyXqIvARVo5e8NdJtd04h7bXk+u0g2KT/WfIa1zLd3sFEkrrmXJpicrZ678wSvaQefG6QrKYoWswVOFDDUpMkhN1oJpNBIiYuXE2S7UomJWfKQiI24JWiuZYtNIInszjaQyOISyO/ZTcmiDZyvv58fAGmdTSh04mLEtLW6PXTWmfu2mrcujJyINQ1PM7GsGszPh/o5QMtwe4bYGHy7ylFmfKyFLy0mh0O3isjP3tKK7aS1vbL+RDgid3+l1ZrKI/CfxnqWcJ2NocJwcYGYQ2B74nC0o0XblJct9CoARr6lC41zAvKK0jRFER3WOkVIoa0/nbYWQCWSMTmuvE4xlIda0yokecaKg4WPdMmmNebxfGOrOkWvkBN9VTqOofLiswwhVCTP/MTmjJkFpeUa9E0olVLxv/Js7cCM1DURzPQ0VYjEq2A1Al4K3IASR6axXMxvo5Dvu3JkMqVE5K2PDUXuQYaxE7K6XeBd2g1ixeqYWPuRSu3u2I3P+jNql0k4vBU8CrxONt5SZobJQ5/rJQxF506B9sQnEJYnGtp3XLEpD9h20pFs62K7njfrrrls6IaVFOyiiV5qQj0QzaRye6lg/ErXETHLCzKs0JZz0U8dbJtPXxmqePn8N1kwu4o7MnphNLhzTWj0ubtRXJMsmMe/CE8XAp+KqIdbEzMKdJGHtkExpWkyt9K2Q+kTy+8nuWMvFceMsskyo7ZLZtry7mo4LeS/iqfpw7J30YLMM46sz89d1AnsgZqaHXLdDWF9JdTv4Qqxpmb6TMd+wv4kL+vJ08bR1GJPfjn3p+fBSQCloXBLq0eC8ICWkRYp7dhMnTXeeg/ffyTwQkanlOgjIt0t1UAPJySfTyM3kU4gXSN60TDHs9KiSWmadjlAf328wjeCiiXe8Fx56+ZiWMsI3xLRkfCTlSw/OD4Uu+ZXBIG+j3sURT5Vjkfg2+crv8pBcVWqTLuQoHXMsS3L7N7AZVKVDy2nefJ5Jw/bzJxhyMmPtzgoRzGPOdfOMMaALvYpk70nr0+cDMVGcssObhMwCd7TbcEUKi0nQJuT6eBIUor/N23eNcuRM2pxLxVQ9StquxKRmVjIu7MmuPPW068MpzeT6p8wyeheOV0pq3xhdOzYw4wkyk+yuRGaCp6IC6SR0WILo/1P2qbcky/r4H4+sM0oHBQ1lh+t5oUjz77hYUKqme+3StYKfpHLhRu1mGe99GZapku7MskS6SuVScz+5UmrV0SQ2+ZTWGc2La0wDCt+ZZ99ZtOrJxYhjAj+VG6EAVa2/6Ukk3OXpya0aUw2kl4+icsRAxkF4RWB6p2MYMu1ad3hNXYkkf+0Foq0L0aqt7771ESJ11fIablwAaeQ9p+5ZzRcn77fO3A/E1cuPdA7+5fqhQyp0p/RwPoayu2gTKfQ+c5dFVX14uFGb9Yzy/ZziVkI5BdMkZzBEQBIa8BvlrrHKfiZ3Wj+++a5fWcu6NaQVil8Us668oDeJbwhSLT/Prww4b/vw5MWym7t7mTz0spQ7uyq/LXl4PLLX6uVaj2lOUTD7Hr/+I1Pd6R/Dv//0Y87orL1ANz65Spgk7enVsr/8xtCrsr/CG006Gt+We6eZsTIEGE16oM2nDc0SmQUBasgmFY+OYoQySDqDhXg9zxtEuqgA8RU6aUQIKNMzivEhe+UG8FJVeLnE2iLuy88qZCqYn8QIDywZi20+KS2aXsLB8vMhDTc/wD/ImTzAP12zM7da6Xq6ZtM92lg2VI7cevlXOv4C3Oe3fFLfcTWKRw9nTy6Of/4jMa8gLJ+mcS3D74bbqxJO0JguBOn4SwlP/Vgr0/W2My69QzZ5obcGk44m52CzOlGcZmiS/yBJGCBUSufHaIXRJ9AqJPKUZoI7YBfTp9K1MRoAbZU4jhvYuxhxZekhIFKa/W5q57k74g4/6hqcZ/9mJCyfNi5rGpEdg/YHTXy6YPrE4lhPlvYsSl2866385dv2pPxl3omFWhn9TbuJIhezMb329nJQzhyoxaFlb79GOezxj38PVaKLt9fNhHQO+gfmEMKbffPBEFP5XkJQ+ob78MPDq/8LAAD//2VZN2U=" } From dfb52cc0f08b7b9b6bf508563f47072b02f833c5 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Mon, 4 Feb 2019 17:32:55 -0500 Subject: [PATCH 2/2] Update ecs-migration.yml --- dev-tools/ecs-migration.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml index df5d69a25a5d..5f7f578c7a55 100644 --- a/dev-tools/ecs-migration.yml +++ b/dev-tools/ecs-migration.yml @@ -1613,6 +1613,12 @@ alias: true beat: auditbeat +- from: event.type + to: auditd.message_type + alias: false + beat: auditbeat + comment: event.type is reserved for future use by ECS. + # Metricbeat ## Metricbeat base fields