Move user.audit.* and user.filesystem.* to fields.common.yml

elastic · Feb 4, 2019 · 290247d · 290247d
1 parent cfb597a
commit 290247d
Show file tree

Hide file tree

Showing 5 changed files with 106 additions and 106 deletions.
diff --git a/auditbeat/_meta/fields.common.yml b/auditbeat/_meta/fields.common.yml
@@ -55,6 +55,17 @@
     description: User information.
     fields:
 
+    - name: audit
+      type: group
+      description: Audit user information.
+      fields:
+      - name: id
+        type: keyword
+        description: Audit user ID.
+      - name: name
+        type: keyword
+        description: Audit user name.
+
     - name: effective
       type: group
       description: Effective user information.
@@ -76,6 +87,27 @@
           type: keyword
           description: Effective group name.
 
+    - name: filesystem
+      type: group
+      description: Filesystem user information.
+      fields:
+      - name: id
+        type: keyword
+        description: Filesystem user ID.
+      - name: name
+        type: keyword
+        description: Filesystem user name.
+      - name: group
+        type: group
+        description: Filesystem group information.
+        fields:
+        - name: id
+          type: keyword
+          description: Filesystem group ID.
+        - name: name
+          type: keyword
+          description: Filesystem group name.
+
     - name: saved
       type: group
       description: Saved user information.

diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
@@ -32,78 +32,6 @@ These are the fields generated by the auditd module.
 
 
 
-[float]
-== audit fields
-
-Audit user information.
-
-
-*`user.audit.id`*::
-+
---
-type: keyword
-
-Audit user ID.
-
---
-
-*`user.audit.name`*::
-+
---
-type: keyword
-
-Audit user name.
-
---
-
-[float]
-== filesystem fields
-
-Filesystem user information.
-
-
-*`user.filesystem.id`*::
-+
---
-type: keyword
-
-Filesystem user ID.
-
---
-
-*`user.filesystem.name`*::
-+
---
-type: keyword
-
-Filesystem user name.
-
---
-
-[float]
-== group fields
-
-Filesystem group information.
-
-
-*`user.filesystem.group.id`*::
-+
---
-type: keyword
-
-Filesystem group ID.
-
---
-
-*`user.filesystem.group.name`*::
-+
---
-type: keyword
-
-Filesystem group name.
-
---
-
 *`user.auid`*::
 +
 --
@@ -2749,6 +2677,30 @@ The object's SELinux level.
 User information.
 
 
+[float]
+== audit fields
+
+Audit user information.
+
+
+*`user.audit.id`*::
++
+--
+type: keyword
+
+Audit user ID.
+
+--
+
+*`user.audit.name`*::
++
+--
+type: keyword
+
+Audit user name.
+
+--
+
 [float]
 == effective fields
 
@@ -2797,6 +2749,54 @@ Effective group name.
 
 --
 
+[float]
+== filesystem fields
+
+Filesystem user information.
+
+
+*`user.filesystem.id`*::
++
+--
+type: keyword
+
+Filesystem user ID.
+
+--
+
+*`user.filesystem.name`*::
++
+--
+type: keyword
+
+Filesystem user name.
+
+--
+
+[float]
+== group fields
+
+Filesystem group information.
+
+
+*`user.filesystem.group.id`*::
++
+--
+type: keyword
+
+Filesystem group ID.
+
+--
+
+*`user.filesystem.group.name`*::
++
+--
+type: keyword
+
+Filesystem group name.
+
+--
+
 [float]
 == saved fields