Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding categorization fields for the system/auth module #11334

Merged
merged 3 commits into from
Mar 21, 2019

Conversation

tsg
Copy link
Contributor

@tsg tsg commented Mar 20, 2019

This PR adds the following fields for the SSH login events:

  • event.category: authentication
  • event.action: ssh_login
  • event.type either authentication_success or authentication_failure
  • event.outcome wither success or failure

This PR also brings back the system.auth.ssh.event field, as we had it in 6.x. This removes a migration.

The PR doesn't attempt to categorize other logs beside the SSH login attempts,
so it's a subset of #9905, but it's what we need for the UI.

This PR adds the following fields for the SSH login events:

* `event.category: authentication`
* `event.action: ssh_login`
* `event.type` either `authentication_success` or `authentication_failure`

The `event.outcome` is currently not quite ECS compliant, but I didn't touch it to
avoid a breaking change.

The PR doesn't attempt to categorize other logs besides the SSH login attempts,
so it's a subset of elastic#9905, but it's what we need for the UI.
@tsg tsg requested a review from a team as a code owner March 20, 2019 11:48
@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

@tsg tsg added the needs_backport PR is waiting to be backported to other branches. label Mar 20, 2019
@tsg tsg requested a review from a team as a code owner March 20, 2019 13:04
Copy link
Member

@jsoriano jsoriano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, thanks!

@ruflin
Copy link
Contributor

ruflin commented Mar 21, 2019

@tsg Do you want to add a changelog? Not sure if we release this already in beta1?

@tsg
Copy link
Contributor Author

tsg commented Mar 21, 2019

Changelog pushed, will only wait for intake for this one since it was fully green before the changelog change.

@tsg tsg merged commit a9f567b into elastic:master Mar 21, 2019
tsg added a commit to tsg/beats that referenced this pull request Mar 21, 2019
* Adding categorization fields for the system/auth module

This PR adds the following fields for the SSH login events:

* `event.category: authentication`
* `event.action: ssh_login`
* `event.type` either `authentication_success` or `authentication_failure`

The `event.outcome` is currently not quite ECS compliant, but I didn't touch it to
avoid a breaking change.

The PR doesn't attempt to categorize other logs besides the SSH login attempts,
so it's a subset of elastic#9905, but it's what we need for the UI.

* Normalized event.outcome and brought back `system.auth.ssh.event`.

* changelog

(cherry picked from commit a9f567b)
@tsg tsg added v7.0.0 and removed needs_backport PR is waiting to be backported to other branches. labels Mar 21, 2019
tsg added a commit that referenced this pull request Mar 21, 2019
…m/auth module (#11363)

* Adding categorization fields for the system/auth module (#11334)

* Adding categorization fields for the system/auth module

This PR adds the following fields for the SSH login events:

* `event.category: authentication`
* `event.action: ssh_login`
* `event.type` either `authentication_success` or `authentication_failure`

The `event.outcome` is currently not quite ECS compliant, but I didn't touch it to
avoid a breaking change.

The PR doesn't attempt to categorize other logs besides the SSH login attempts,
so it's a subset of #9905, but it's what we need for the UI.

* Normalized event.outcome and brought back `system.auth.ssh.event`.

* changelog

(cherry picked from commit a9f567b)

* cleanup changelog
webmat pushed a commit to webmat/beats that referenced this pull request Mar 28, 2019
- This adds the missing nginx field alias
- This also introduces an update introduced in elastic#11334
ruflin pushed a commit that referenced this pull request Mar 29, 2019
- It was missing in the breaking changes doc (generated from ecs-migration.yml)
- The actual field alias was incorrectly pointing to source.ip, this has been
  adjusted to source.address
- Re-generating the documentation file also updated the breaking changes to
  include a change introduced in #11334

This should be backported to 7.0.

Closes #11510
ruflin pushed a commit to ruflin/beats that referenced this pull request Mar 29, 2019
- It was missing in the breaking changes doc (generated from ecs-migration.yml)
- The actual field alias was incorrectly pointing to source.ip, this has been
  adjusted to source.address
- Re-generating the documentation file also updated the breaking changes to
  include a change introduced in elastic#11334

This should be backported to 7.0.

Closes elastic#11510

(cherry picked from commit 692ef9e)
ruflin added a commit that referenced this pull request Mar 29, 2019
- It was missing in the breaking changes doc (generated from ecs-migration.yml)
- The actual field alias was incorrectly pointing to source.ip, this has been
  adjusted to source.address
- Re-generating the documentation file also updated the breaking changes to
  include a change introduced in #11334

This should be backported to 7.0.

Closes #11510

(cherry picked from commit 692ef9e)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants