Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rename process.exe to process.executable for ECS #9949

Merged
merged 4 commits into from Jan 11, 2019
Merged

Rename process.exe to process.executable for ECS #9949

merged 4 commits into from Jan 11, 2019

Conversation

ruflin
Copy link
Member

@ruflin ruflin commented Jan 8, 2019
edited

This also updates the auditbeat auditd module to use process.executable instead of process.exe.

@ruflin ruflin added in progress Pull request is currently in progress. libbeat ecs labels Jan 8, 2019
@ruflin ruflin requested a review from a team as a code owner January 8, 2019 14:00
ruflin
ruflin commented Jan 8, 2019
View reviewed changes
Copy link
Member Author

@ruflin ruflin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andrewkroh It seems there is also in auditbeat process.exe?

libbeat/processors/add_process_metadata/_meta/fields.yml Show resolved Hide resolved
@ruflin ruflin mentioned this pull request Jan 8, 2019
Closed
@andrewkroh
Copy link
Member

It seems there is also in auditbeat process.exe?

Yes, the Auditbeat auditd module produces this field.

beats/auditbeat/module/auditd/audit_linux.go

Line 571 in ae290b4

process["exe"] = p.Exe

webmat
webmat approved these changes Jan 8, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ruflin ruflin requested review from a team as code owners January 9, 2019 13:02
@ruflin
Copy link
Member Author

ruflin commented Jan 9, 2019

I added to this PR the change in the auditd module in auditbeat.

@ruflin ruflin added review and removed in progress Pull request is currently in progress. labels Jan 10, 2019
@ruflin
Copy link
Member Author

ruflin commented Jan 10, 2019

@andrewkroh Could you take another look as it now also affects auditbeat?

andrewkroh
andrewkroh approved these changes Jan 11, 2019
View reviewed changes
auditbeat/module/auditd/audit_linux.go
@@ -568,7 +568,7 @@ func addProcess(p aucoalesce.Process, m common.MapStr) {
process["name"] = p.Name
}
if p.Exe != "" {
process["exe"] = p.Exe
process["executable"] = p.Exe
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This package has a data.json and I think an execve.json that should be updated. You can run go test . -data on Linux to update them.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, it unfortunately also removed some entries which are probably available in other envs.

@ruflin ruflin merged commit f5a9028 into elastic:master Jan 11, 2019
@ruflin ruflin deleted the ecs-process-metadata branch January 11, 2019 15:46
DStape pushed a commit to DStape/beats that referenced this pull request Aug 20, 2019
@ruflin
Rename process.exe to process.executable for ECS (elastic#9949)
309c560 
This also updates the auditbeat auditd module to use process.executable instead of process.exe.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webmat webmat webmat approved these changes

@urso urso urso approved these changes

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
ecs libbeat review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ruflin @andrewkroh @webmat @urso