elastic · webmat · Jan 17, 2019 · Nov 29, 2018 · Nov 29, 2018 · Nov 29, 2018
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -29,6 +29,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Rename many `traefik.access.*` fields to map to ECS. {pull}9005[9005]
 - Fix parsing of GC entries in elasticsearch server log. {issue}9513[9513] {pull}9810[9810]
 - Rename `read_timestamp` to `event.created` for Redis input. {pull}9924[9924]
+- Rename a few `elasticsearch.audit.*` fields to map to ECS. {pull}9293[9293]
 - Rename many `iis.error.*` fields to map to ECS. {pull}9955[9955]
 - Rename a few `logstash.*` fields to map to ECS, remove logstash.slowlog.message. {pull}9935[9935]
 - Rename a few `mysql.*` fields to map to ECS. {pull}10008[10008]
@@ -124,6 +125,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add support for ssl_request_log in apache2 module. {issue}8088[8088] {pull}9833[9833]
 - Add support for iis 7.5 log format. {issue}9753[9753] {pull}9967[9967]
 - Add service.type field to all Modules. By default the field is set with the module name. It can be overwritten with `service.type` config. {pull}10042[10042]
+- Elasticsearch module's slowlog now populates `event.duration` (ECS). {pull}9293[9293]
 
 *Heartbeat*
 

diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml
@@ -278,6 +278,28 @@
   to: process.thread.id
   alias: true
 
+## Elasticsearch module
+
+- from: elasticsearch.audit.event_type
+  to: event.type
+  alias: true
+
+- from: elasticsearch.audit.origin_address
+  to: source.ip
+  alias: true
+
+- from: elasticsearch.audit.principal
+  to: user.name
+  alias: true
+
+- from: elasticsearch.audit.request_body
+  to: http.request.body.content
+  alias: true
+
+- from: elasticsearch.audit.uri
+  to: url.original
+  alias: true
+
 ## IIS module
 
 - from: iis.access.server_ip

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -3954,91 +3954,81 @@ The layer from which this event originated: rest, transport or ip_filter
 
 --
 
-*`elasticsearch.audit.event_type`*::
+*`elasticsearch.audit.origin_type`*::
 +
 --
 type: keyword
 
-example: access_granted
+example: local_node
 
-The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied
+Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request)
 
 --
 
-*`elasticsearch.audit.origin_type`*::
+*`elasticsearch.audit.action`*::
 +
 --
 type: keyword
 
-example: local_node
+example: cluster:monitor/main
 
-Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request)
+The name of the action that was executed
 
 --
 
-*`elasticsearch.audit.origin_address`*::
+*`elasticsearch.audit.request`*::
 +
 --
-type: ip
+type: keyword
 
-example: 192.168.1.42
+example: ClearScrollRequest
 
-The IP address from which the request originated
+The type of request that was executed
 
 --
 
-*`elasticsearch.audit.principal`*::
+*`elasticsearch.audit.event_type`*::
 +
 --
-type: keyword
-
-example: _anonymous
+type: alias
 
-The principal (username) that failed authentication
+alias to: event.type
 
 --
 
-*`elasticsearch.audit.action`*::
+*`elasticsearch.audit.origin_address`*::
 +
 --
-type: keyword
-
-example: cluster:monitor/main
+type: alias
 
-The name of the action that was executed
+alias to: source.ip
 
 --
 
 *`elasticsearch.audit.uri`*::
 +
 --
-type: keyword
-
-example: /_xpack/security/_authenticate
+type: alias
 
-The REST endpoint URI
+alias to: url.original
 
 --
 
-*`elasticsearch.audit.request`*::
+*`elasticsearch.audit.request_body`*::
 +
 --
-type: keyword
-
-example: ClearScrollRequest
+type: alias
 
-The type of request that was executed
+alias to: http.request.body.content
 
 --
 
-*`elasticsearch.audit.request_body`*::
+*`elasticsearch.audit.principal`*::
 +
 --
-type: text
-
-example: body
+type: alias
 
-The body of the request, if enabled
+alias to: user.name
 
 --
 

@@ -6,35 +6,36 @@
       description: "The layer from which this event originated: rest, transport or ip_filter"
       example: "rest"
       type: keyword
-    - name: event_type
-      description: "The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied"
-      example: "access_granted"
-      type: keyword
     - name: origin_type
       description: "Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request)"
       example: "local_node"
       type: keyword
-    - name: origin_address
-      description: "The IP address from which the request originated"
-      example: "192.168.1.42"
-      type: ip
-    - name: principal
-      description: "The principal (username) that failed authentication"
-      example: "_anonymous"
-      type: keyword
     - name: action
       description: "The name of the action that was executed"
       example: "cluster:monitor/main"
       type: keyword
-    - name: uri
-      description: "The REST endpoint URI"
-      example: /_xpack/security/_authenticate
-      type: keyword
     - name: request
       description: "The type of request that was executed"
       example: "ClearScrollRequest"
       type: keyword
+
+    - name: event_type
+      type: alias
+      path: event.type
+      migration: true
+    - name: origin_address
+      type: alias
+      path: source.ip
+      migration: true
+    - name: uri
+      type: alias
+      path: url.original
+      migration: true
     - name: request_body
-      description: "The body of the request, if enabled"
-      example: "body"
-      type: text
+      type: alias
+      path: http.request.body.content
+      migration: true
+    - name: principal
+      type: alias
+      path: user.name
+      migration: true
@@ -11,7 +11,7 @@
           "grok": {
               "field": "message",
               "patterns": [
-                  "\\[%{TIMESTAMP_ISO8601:elasticsearch.audit.timestamp}\\]\\s*(\\[%{WORD:elasticsearch.node.name}\\])?\\s*\\[%{WORD:elasticsearch.audit.layer}\\]\\s*\\[%{WORD:elasticsearch.audit.event_type}\\]\\s*(origin_type\\=\\[%{WORD:elasticsearch.audit.origin_type}\\])?,?\\s*(origin_address\\=\\[%{IPORHOST:elasticsearch.audit.origin_address}\\])?,?\\s*(principal\\=\\[%{WORD:elasticsearch.audit.principal}\\])?,?\\s*(action\\=\\[%{DATA:elasticsearch.audit.action}\\])?,?\\s*?(uri=\\[%{DATA:elasticsearch.audit.uri}\\])?,?\\s*(request\\=\\[%{WORD:elasticsearch.audit.request}\\])?,?\\s*(request_body\\=\\[%{DATA:elasticsearch.audit.request_body}\\])?,?"
+                  "\\[%{TIMESTAMP_ISO8601:elasticsearch.audit.timestamp}\\]\\s*(\\[%{WORD:elasticsearch.node.name}\\])?\\s*\\[%{WORD:elasticsearch.audit.layer}\\]\\s*\\[%{WORD:event.type}\\]\\s*(origin_type\\=\\[%{WORD:elasticsearch.audit.origin_type}\\])?,?\\s*(origin_address\\=\\[%{IPORHOST:source.ip}\\])?,?\\s*(principal\\=\\[%{WORD:user.name}\\])?,?\\s*(action\\=\\[%{DATA:elasticsearch.audit.action}\\])?,?\\s*?(uri=\\[%{DATA:url.original}\\])?,?\\s*(request\\=\\[%{WORD:elasticsearch.audit.request}\\])?,?\\s*(request_body\\=\\[%{DATA:http.request.body.content}\\])?,?"
               ]
           }
       },

@@ -2,120 +2,120 @@
     {
         "@timestamp": "2018-06-19T05:16:15.549Z",
         "ecs.version": "1.0.0-beta2",
-        "elasticsearch.audit.event_type": "authentication_failed",
         "elasticsearch.audit.layer": "rest",
-        "elasticsearch.audit.origin_address": "147.107.128.77",
-        "elasticsearch.audit.principal": "i030648",
-        "elasticsearch.audit.uri": "/_xpack/security/_authenticate",
         "event.dataset": "elasticsearch.audit",
         "event.module": "elasticsearch",
+        "event.type": "authentication_failed",
         "fileset.name": "audit",
         "input.type": "log",
         "log.offset": 0,
         "message": "[2018-06-19T05:16:15,549] [rest] [authentication_failed]        origin_address=[147.107.128.77], principal=[i030648], uri=[/_xpack/security/_authenticate]",
-        "service.type": "elasticsearch"
+        "service.type": "elasticsearch",
+        "source.ip": "147.107.128.77",
+        "url.original": "/_xpack/security/_authenticate",
+        "user.name": "i030648"
     },
     {
         "@timestamp": "2018-06-19T05:07:52.304Z",
         "ecs.version": "1.0.0-beta2",
-        "elasticsearch.audit.event_type": "authentication_failed",
         "elasticsearch.audit.layer": "rest",
-        "elasticsearch.audit.origin_address": "172.22.0.3",
-        "elasticsearch.audit.principal": "rado",
-        "elasticsearch.audit.uri": "/_xpack/security/_authenticate",
         "elasticsearch.node.name": "v_VJhjV",
         "event.dataset": "elasticsearch.audit",
         "event.module": "elasticsearch",
+        "event.type": "authentication_failed",
         "fileset.name": "audit",
         "input.type": "log",
         "log.offset": 155,
         "message": "[2018-06-19T05:07:52,304] [v_VJhjV] [rest] [authentication_failed]\torigin_address=[172.22.0.3], principal=[rado], uri=[/_xpack/security/_authenticate]",
-        "service.type": "elasticsearch"
+        "service.type": "elasticsearch",
+        "source.ip": "172.22.0.3",
+        "url.original": "/_xpack/security/_authenticate",
+        "user.name": "rado"
     },
     {
         "@timestamp": "2018-06-19T05:00:15.778Z",
         "ecs.version": "1.0.0-beta2",
         "elasticsearch.audit.action": "indices:data/read/scroll/clear",
-        "elasticsearch.audit.event_type": "access_granted",
         "elasticsearch.audit.layer": "transport",
-        "elasticsearch.audit.origin_address": "192.168.1.165",
         "elasticsearch.audit.origin_type": "local_node",
-        "elasticsearch.audit.principal": "_xpack_security",
         "elasticsearch.audit.request": "ClearScrollRequest",
         "event.dataset": "elasticsearch.audit",
         "event.module": "elasticsearch",
+        "event.type": "access_granted",
         "fileset.name": "audit",
         "input.type": "log",
         "log.offset": 306,
         "message": "[2018-06-19T05:00:15,778] [transport] [access_granted]  origin_type=[local_node], origin_address=[192.168.1.165], principal=[_xpack_security], action=[indices:data/read/scroll/clear], request=[ClearScrollRequest]",
-        "service.type": "elasticsearch"
+        "service.type": "elasticsearch",
+        "source.ip": "192.168.1.165",
+        "user.name": "_xpack_security"
     },
     {
         "@timestamp": "2018-06-19T05:07:45.544Z",
         "ecs.version": "1.0.0-beta2",
-        "elasticsearch.audit.event_type": "anonymous_access_denied",
         "elasticsearch.audit.layer": "rest",
-        "elasticsearch.audit.origin_address": "172.22.0.3",
-        "elasticsearch.audit.uri": "/_xpack/security/_authenticate",
         "elasticsearch.node.name": "v_VJhjV",
         "event.dataset": "elasticsearch.audit",
         "event.module": "elasticsearch",
+        "event.type": "anonymous_access_denied",
         "fileset.name": "audit",
         "input.type": "log",
         "log.offset": 519,
         "message": "[2018-06-19T05:07:45,544] [v_VJhjV] [rest] [anonymous_access_denied]\torigin_address=[172.22.0.3], uri=[/_xpack/security/_authenticate]",
-        "service.type": "elasticsearch"
+        "service.type": "elasticsearch",
+        "source.ip": "172.22.0.3",
+        "url.original": "/_xpack/security/_authenticate"
     },
     {
         "@timestamp": "2018-06-19T05:26:27.268Z",
         "ecs.version": "1.0.0-beta2",
-        "elasticsearch.audit.event_type": "authentication_failed",
         "elasticsearch.audit.layer": "rest",
-        "elasticsearch.audit.origin_address": "147.107.128.77",
-        "elasticsearch.audit.principal": "N078801",
-        "elasticsearch.audit.uri": "/_xpack/security/_authenticate",
         "event.dataset": "elasticsearch.audit",
         "event.module": "elasticsearch",
+        "event.type": "authentication_failed",
         "fileset.name": "audit",
         "input.type": "log",
         "log.offset": 654,
         "message": "[2018-06-19T05:26:27,268] [rest] [authentication_failed]\torigin_address=[147.107.128.77], principal=[N078801], uri=[/_xpack/security/_authenticate]",
-        "service.type": "elasticsearch"
+        "service.type": "elasticsearch",
+        "source.ip": "147.107.128.77",
+        "url.original": "/_xpack/security/_authenticate",
+        "user.name": "N078801"
     },
     {
         "@timestamp": "2018-06-19T05:55:26.898Z",
         "ecs.version": "1.0.0-beta2",
         "elasticsearch.audit.action": "cluster:monitor/main",
-        "elasticsearch.audit.event_type": "access_denied",
         "elasticsearch.audit.layer": "transport",
-        "elasticsearch.audit.origin_address": "147.107.128.77",
         "elasticsearch.audit.origin_type": "rest",
-        "elasticsearch.audit.principal": "_anonymous",
         "elasticsearch.audit.request": "MainRequest",
         "event.dataset": "elasticsearch.audit",
         "event.module": "elasticsearch",
+        "event.type": "access_denied",
         "fileset.name": "audit",
         "input.type": "log",
         "log.offset": 802,
         "message": "[2018-06-19T05:55:26,898] [transport] [access_denied]\torigin_type=[rest], origin_address=[147.107.128.77], principal=[_anonymous], action=[cluster:monitor/main], request=[MainRequest]",
-        "service.type": "elasticsearch"
+        "service.type": "elasticsearch",
+        "source.ip": "147.107.128.77",
+        "user.name": "_anonymous"
     },
     {
         "@timestamp": "2018-06-19T05:24:15.190Z",
         "ecs.version": "1.0.0-beta2",
-        "elasticsearch.audit.event_type": "authentication_failed",
         "elasticsearch.audit.layer": "rest",
-        "elasticsearch.audit.origin_address": "172.18.0.3",
-        "elasticsearch.audit.principal": "elastic",
-        "elasticsearch.audit.request_body": "body",
-        "elasticsearch.audit.uri": "/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip",
         "elasticsearch.node.name": "v_VJhjV",
         "event.dataset": "elasticsearch.audit",
         "event.module": "elasticsearch",
+        "event.type": "authentication_failed",
         "fileset.name": "audit",
+        "http.request.body.content": "body",
         "input.type": "log",
         "log.offset": 986,
         "message": "[2018-06-19T05:24:15,190] [v_VJhjV] [rest] [authentication_failed]\torigin_address=[172.18.0.3], principal=[elastic], uri=[/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip], request_body=[body]",
-        "service.type": "elasticsearch"
+        "service.type": "elasticsearch",
+        "source.ip": "172.18.0.3",
+        "url.original": "/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip",
+        "user.name": "elastic"
     }
 ]