Skip to content

Commit

Permalink
[Auditbeat] Auditd: Change user fields to ECS (#10456)
Browse files Browse the repository at this point in the history 
Changes the UID and GID fields of the `auditd` module to follow the new ECS format.
  • Loading branch information
Christoph Wurm committed Feb 5, 2019
1 parent 0f07db7 commit 89af30d
Show file tree
Hide file tree
Showing 12 changed files with 461 additions and 141 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Expand Up @@ -39,6 +39,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Change data type of `file.uid` and `file.gid` to string in JSON output of the
FIM module. {pull}10195[10195]
- Field `file.origin` changed type from `text` to `keyword`. {pull}10544[10544]
- Rename user fields to ECS in auditd module. {pull}10456[10456]

*Filebeat*

Expand Down
44 changes: 44 additions & 0 deletions auditbeat/_meta/fields.common.yml
View file
Expand Up @@ -55,20 +55,58 @@
description: User information.
fields:

- name: audit
type: group
description: Audit user information.
fields:
- name: id
type: keyword
description: Audit user ID.
- name: name
type: keyword
description: Audit user name.

- name: effective
type: group
description: Effective user information.
fields:
- name: id
type: keyword
description: Effective user ID.
- name: name
type: keyword
description: Effective user name.
- name: group
type: group
description: Effective group information.
fields:
- name: id
type: keyword
description: Effective group ID.
- name: name
type: keyword
description: Effective group name.

- name: filesystem
type: group
description: Filesystem user information.
fields:
- name: id
type: keyword
description: Filesystem user ID.
- name: name
type: keyword
description: Filesystem user name.
- name: group
type: group
description: Filesystem group information.
fields:
- name: id
type: keyword
description: Filesystem group ID.
- name: name
type: keyword
description: Filesystem group name.

- name: saved
type: group
Expand All @@ -77,10 +115,16 @@
- name: id
type: keyword
description: Saved user ID.
- name: name
type: keyword
description: Saved user name.
- name: group
type: group
description: Saved group information.
fields:
- name: id
type: keyword
description: Saved group ID.
- name: name
type: keyword
description: Saved group name.
19 changes: 18 additions & 1 deletion auditbeat/docs/breaking.asciidoc
View file
Expand Up @@ -9,6 +9,24 @@ In version 7.0 the following fields were renamed.
|Old Field|New Field
|`process.cwd` |`process.working_directory`
|`source.hostname` |`source.domain`
|`user.auid` |`user.audit.id`
|`user.uid` |`user.id`
|`user.euid` |`user.effective.id`
|`user.fsuid` |`user.filesystem.id`
|`user.suid` |`user.saved.id`
|`user.gid` |`user.group.id`
|`user.egid` |`user.effective.group.id`
|`user.sgid` |`user.saved.group.id`
|`user.fsgid` |`user.filesystem.group.id`
|`user.name_map.auid` |`user.audit.name`
|`user.name_map.uid` |`user.name`
|`user.name_map.euid` |`user.effective.name`
|`user.name_map.fsuid` |`user.filesystem.name`
|`user.name_map.suid` |`user.saved.name`
|`user.name_map.gid` |`user.group.name`
|`user.name_map.egid` |`user.effective.group.name`
|`user.name_map.sgid` |`user.saved.group.name`
|`user.name_map.fsgid` |`user.filesystem.group.name`
|======================

The JSON data types produced by the output have been changed to align with
Expand Down Expand Up @@ -148,4 +166,3 @@ moved under the `file` namespace.]
|`audit.file.hash` |`hash`
|`audit.file` |`file`
|======================

0 comments on commit 89af30d

Please sign in to comment.