Skip to content

Commit

Permalink
Apply RFC 0007 stage 3 changes - multi-user (#1066)
Browse files Browse the repository at this point in the history
  • Loading branch information
Mathieu Martin authored Dec 7, 2020
1 parent fe8c043 commit 5f5c4ec
Show file tree
Hide file tree
Showing 13 changed files with 1,939 additions and 17 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.next.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ Thanks, you're awesome :-) -->

* Added `event.category` "registry". #1040
* Added `event.category` "session". #1049
* Added usage documentation for `user` fields. #1066
* Added `user` fields at `user.effective.*`, `user.target.*` and `user.changes.*`. #1066
* Added `os.type`. #1111

#### Improvements
Expand All @@ -26,6 +28,8 @@ Thanks, you're awesome :-) -->

#### Deprecated

* Deprecated `host.user.*` fields for removal at the next major. #1066

### Tooling and Artifact Changes

#### Breaking changes
Expand Down
31 changes: 30 additions & 1 deletion docs/field-details.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -7541,6 +7541,10 @@ The user fields describe information about the user that is relevant to the even

Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.

Find additional usage and examples in the user fields <<ecs-user-usage,usage>> section.



[discrete]
==== User Field Details

Expand Down Expand Up @@ -7686,7 +7690,7 @@ example: `["kibana_admin", "reporting_user"]`
[discrete]
==== Field Reuse

The `user` fields are expected to be nested at: `client.user`, `destination.user`, `host.user`, `server.user`, `source.user`.
The `user` fields are expected to be nested at: `client.user`, `destination.user`, `host.user`, `server.user`, `source.user`, `user.changes`, `user.effective`, `user.target`.

Note also that the `user` fields may be used directly at the root of the events.

Expand All @@ -7704,14 +7708,39 @@ Note also that the `user` fields may be used directly at the root of the events.
// ===============================================================


| <<ecs-user,user.changes.*>>| beta:[ Reusing the user fields in this location is currently considered beta.]

Fields to describe the user relevant to the event.

// ===============================================================


| <<ecs-user,user.effective.*>>| beta:[ Reusing the user fields in this location is currently considered beta.]

Fields to describe the user relevant to the event.

// ===============================================================


| <<ecs-group,user.group.*>>
| User's group relevant to the event.

// ===============================================================


| <<ecs-user,user.target.*>>| beta:[ Reusing the user fields in this location is currently considered beta.]

Fields to describe the user relevant to the event.

// ===============================================================


|=====



include::usage/user.asciidoc[]

[[ecs-user_agent]]
=== User agent Fields

Expand Down
Loading

0 comments on commit 5f5c4ec

Please sign in to comment.