New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auditbeat GA cleanup #6138

Merged
merged 4 commits into from Jan 23, 2018

Conversation

Projects
None yet
3 participants
@andrewkroh
Member

andrewkroh commented Jan 22, 2018

Fix issues affecting the latest version of Auditbeat.

  • Add filter to omit symlinks from "World Writeable File Count" viz.
  • Remove cfgwarn.Beta from Auditbeat modules.
  • Adding missing structured logging key name to an Auditbeat warning.
  • Add breaking changes documentation for Auditbeat 6.2
Auditbeat GA cleanup
Fix issues affecting the latest version of Auditbeat.

- Add filter to omit symlinks from "World Writeable File Count" viz.
- Remove cfgwarn.Beta from Auditbeat modules.
- Adding missing structured logging key name to an Auditbeat warning.

@andrewkroh andrewkroh referenced this pull request Jan 22, 2018

Closed

Auditbeat GA #5432

9 of 9 tasks complete

@andrewkroh andrewkroh added the docs label Jan 22, 2018

@andrewkroh andrewkroh requested a review from dedemorton Jan 22, 2018

@andrewkroh andrewkroh added the v6.2.0 label Jan 22, 2018

@dedemorton

A few changes, mostly minor. We need to add a bit more guidance for users who aren't using the default template settings.

[float]
=== Configuration Changes
The modules and metricsets were renamed and your configuration must be updated.

This comment has been minimized.

@dedemorton

dedemorton Jan 23, 2018

Contributor

This seems like more than just a renaming. I would change this to say something like:

The audit module has been renamed and is now two separate modules: the <<auditbeat-module-auditd,auditd module>> and the <<auditbeat-module-file_integrity,file_integrity module>>. You must update your configuration to use these modules.

The modules and metricsets were renamed and your configuration must be updated.
The `kernel` metricset has been renamed to the

This comment has been minimized.

@dedemorton

dedemorton Jan 23, 2018

Contributor

I would say:

The `kernel` metricset has become the <<auditbeat-module-auditd,auditd module>>. 
hash_types: [sha1]
recursive: false <1>
----
<1> `recursive` is a new option in 6.2 and is disabled by default. By setting

This comment has been minimized.

@dedemorton

dedemorton Jan 23, 2018

Contributor

Suggested edit for sentence that begins, "By setting...":

Set the value to true to watch for changes in all sub-directories.

# Rules
----
The `file` metricset has been renamed to the

This comment has been minimized.

@dedemorton

dedemorton Jan 23, 2018

Contributor

same as previous...change to: "...has become the..."

the modules (and future modules). The table below provides a summary of the
field changes.
If you are using the default index naming and template settings then no action

This comment has been minimized.

@dedemorton

dedemorton Jan 23, 2018

Contributor

This sentence is potentially misleading because you say that "no action is required," but then in the next paragraph, you tell users that they need to import the latest dashboards. Some users might think they only need to import the dashboards if they've changed the default settings for the index name and template.

What you're saying (I think) is that users won't run into field mapping issues if they've used the default index name and template settings. I guess this section just needs more detail about what users need to do if they aren't using the default settings.

This comment has been minimized.

@andrewkroh

andrewkroh Jan 23, 2018

Member

As it turns out there are no mapping conflicts between 6.1.2 and 6.2 so I'm removing this paragraph.

[float]
=== Event Schema Changes
Most field names were changed in 6.2. This is because of the module renames as

This comment has been minimized.

@dedemorton

dedemorton Jan 23, 2018

Contributor

I think it's OK to say "we" here. Maybe we can say this more succinctly:

Most field names were changed in 6.2. We wanted to rename the modules and use common field names for similar data types across all the modules.

(IMO "future" is implied here).

new event format. The new dashboards will not work with data produced by older
versions of Auditbeat.
.Summary of Field Renames

This comment has been minimized.

@dedemorton

dedemorton Jan 23, 2018

Contributor

I'd just say "Renamed Fields" for the heading here.

is required because the Auditbeat version number is included in then index
and template names. This prevents any field mapping issues between versions.
In Kibana you will need to import the latest dashboards that work with the

This comment has been minimized.

@dedemorton

dedemorton Jan 23, 2018

Contributor

Just say, "In Kibana you need to import....

This comment has been minimized.

@dedemorton

dedemorton Jan 23, 2018

Contributor

might be worth providing the command here for importing the dashboards? Or a link to the docs?

@@ -0,0 +1,129 @@
[[auditbeat-breaking-changes]]

This comment has been minimized.

@dedemorton

dedemorton Jan 23, 2018

Contributor

Might be a good idea to add something to the breaking changes section of the platform reference that points to the Auditbeat topic.

This comment has been minimized.

@andrewkroh

andrewkroh Jan 23, 2018

Member

I think that it would be good to add something over there, but that page is specific to 6.0. Perhaps on the parent page to that one we could add a list of links?

This comment has been minimized.

@dedemorton

dedemorton Jan 23, 2018

Contributor

Yes, a list of links might work, or we could add a container for 6.2 that just points to the Auditbeat topic. If Auditbeat is the only Beat that has breaking changes, a container for 6.2 is overkill, IMO.

@andrewkroh

This comment has been minimized.

Member

andrewkroh commented Jan 23, 2018

@dedemorton The PR is updated. Thanks for reviewing.

@@ -17,6 +17,8 @@ include::../../libbeat/docs/contributing-to-beats.asciidoc[]
include::./getting-started.asciidoc[]
include::./breaking.asciidoc[]

This comment has been minimized.

@dedemorton

dedemorton Jan 23, 2018

Contributor

Didn't notice this the first time I reviewed, but the include for breaking changes needs to come after the repositories topic (line 22), or you end up with a TOC that looks like this:

image

@dedemorton

Just the TOC change, otherwise, LGTM.

Would also be good to add a link to the platform ref, but I can add that later if you want to get this done and merged.

@andrewkroh

This comment has been minimized.

Member

andrewkroh commented Jan 23, 2018

Fixed the TOC, but I didn't do the linking between the platform BC page and the Auditbeat BC page.

@adriansr

LGTM

@adriansr adriansr merged commit 6d58741 into elastic:master Jan 23, 2018

3 of 5 checks passed

continuous-integration/appveyor/pr Waiting for AppVeyor build to complete
Details
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
CLA Commit author has signed the CLA
Details
beats-ci Build finished.
Details
hound No violations found. Woof!

andrewkroh added a commit to andrewkroh/beats that referenced this pull request Jan 23, 2018

Auditbeat GA cleanup (elastic#6138)
Fix issues affecting the latest version of Auditbeat.

- Add filter to omit symlinks from "World Writeable File Count" viz.
- Remove cfgwarn.Beta from Auditbeat modules.
- Adding missing structured logging key name to an Auditbeat warning.

* Add Auditbeat 6.2 breaking changes docs

* Address doc review comments

* Move Breaking Changes below Repos in TOC

(cherry picked from commit 6d58741)

urso added a commit that referenced this pull request Jan 23, 2018

Auditbeat GA cleanup (#6138) (#6151)
Fix issues affecting the latest version of Auditbeat.

- Add filter to omit symlinks from "World Writeable File Count" viz.
- Remove cfgwarn.Beta from Auditbeat modules.
- Adding missing structured logging key name to an Auditbeat warning.

* Add Auditbeat 6.2 breaking changes docs

* Address doc review comments

* Move Breaking Changes below Repos in TOC

(cherry picked from commit 6d58741)

athom added a commit to athom/beats that referenced this pull request Jan 25, 2018

Auditbeat GA cleanup (elastic#6138)
Fix issues affecting the latest version of Auditbeat.

- Add filter to omit symlinks from "World Writeable File Count" viz.
- Remove cfgwarn.Beta from Auditbeat modules.
- Adding missing structured logging key name to an Auditbeat warning.

* Add Auditbeat 6.2 breaking changes docs

* Address doc review comments

* Move Breaking Changes below Repos in TOC

@andrewkroh andrewkroh deleted the andrewkroh:feature/ab/auditbeat-ga branch Apr 20, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment