From 76a7c0965ef007fef7770690729bad37de823656 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Mon, 21 Jan 2019 18:01:21 -0500 Subject: [PATCH] Changed auditd fields for ECS (#10195) * Changed auditd fields for ECS - Rename `process.cwd` to `process.working_directory` in auditd module. - Change data type of `process.pid` and `process.ppid` to number in JSON output. - Add user.id (same as UID) and user.name. - Add group.id (same as GID) and group.name. Issue #10111 * Change file.uid/file.gid to string in JSON output The JSON data type was number but ECS says it should be a keyword which is a JSON string. Fixes #9607 --- CHANGELOG.next.asciidoc | 7 +++++ auditbeat/docs/breaking.asciidoc | 14 +++++++++ auditbeat/docs/fields.asciidoc | 4 ++- auditbeat/module/auditd/_meta/accept.json | 10 +++++-- auditbeat/module/auditd/_meta/data.json | 4 ++- auditbeat/module/auditd/_meta/execve.json | 12 +++++--- auditbeat/module/auditd/_meta/fields.yml | 4 ++- auditbeat/module/auditd/audit_linux.go | 30 +++++++++++++++++-- auditbeat/module/auditd/audit_linux_test.go | 2 +- auditbeat/module/auditd/fields.go | 2 +- .../module/file_integrity/_meta/data.json | 16 ++++++---- auditbeat/module/file_integrity/event.go | 4 +-- dev-tools/ecs-migration.yml | 4 +++ 13 files changed, 91 insertions(+), 22 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 16ebbe39f99..deb6b0527b3 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -22,6 +22,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Auditbeat* - Rename `process.exe` to `process.executable` in auditd module to align with ECS. {pull}9949[9949] +- Rename `process.cwd` to `process.working_directory` in auditd module to align with ECS. {pull}10195[10195] +- Change data type of `process.pid` and `process.ppid` to number in JSON output + of the auditd module. {pull}10195[10195] +- Change data type of `file.uid` and `file.gid` to string in JSON output of the + FIM module. {pull}10195[10195] *Filebeat* @@ -137,6 +142,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Auditbeat* - Add system module. {pull}9546[9546] +- Add `user.id` (UID) and `user.name` for ECS. {pull}10195[10195] +- Add `group.id` (GID) and `group.name` for ECS. {pull}10195[10195] *Filebeat* diff --git a/auditbeat/docs/breaking.asciidoc b/auditbeat/docs/breaking.asciidoc index 6801239d169..e5e3e417d49 100644 --- a/auditbeat/docs/breaking.asciidoc +++ b/auditbeat/docs/breaking.asciidoc @@ -7,9 +7,23 @@ In version 7.0 the following fields were renamed. [frame="topbot",options="header"] |====================== |Old Field|New Field +|`process.cwd` |`process.working_directory` |`source.hostname` |`source.domain` |====================== +The JSON data types produced by the output have been changed to align with +the data types used in the Elasticsearch index template. + +.Type Changes in 7.0 +[frame="topbot",options="header"] +|====================== +|Field|Old Type|New Type +|`file.gid` |number |string +|`file.uid` |number |string +|`process.pid` |string |number +|`process.ppid` |string |number +|====================== + == Breaking changes in 6.2 As a general rule, we strive to keep backwards compatibility between minor diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index 5e8f4f478b9..53cbb9691ae 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -263,7 +263,9 @@ Process attributes. *`process.cwd`*:: + -- -type: keyword +type: alias + +alias to: process.working_directory The current working directory. diff --git a/auditbeat/module/auditd/_meta/accept.json b/auditbeat/module/auditd/_meta/accept.json index 40272982564..4bd6c80c512 100644 --- a/auditbeat/module/auditd/_meta/accept.json +++ b/auditbeat/module/auditd/_meta/accept.json @@ -37,14 +37,18 @@ "module": "auditd", "type": "syscall" }, + "group": { + "id": "0", + "name": "root" + }, "network": { "direction": "incoming" }, "process": { "executable": "/usr/sbin/sshd", "name": "sshd", - "pid": "1663", - "ppid": "1", + "pid": 1663, + "ppid": 1, "title": "(sshd)" }, "service": { @@ -64,6 +68,8 @@ "fsgid": "0", "fsuid": "0", "gid": "0", + "id": "0", + "name": "root", "name_map": { "egid": "root", "euid": "root", diff --git a/auditbeat/module/auditd/_meta/data.json b/auditbeat/module/auditd/_meta/data.json index 4b28297ec82..ac7ca19d3b6 100644 --- a/auditbeat/module/auditd/_meta/data.json +++ b/auditbeat/module/auditd/_meta/data.json @@ -37,7 +37,7 @@ }, "process": { "executable": "/usr/sbin/sshd", - "pid": "12635" + "pid": 12635 }, "service": { "type": "auditd" @@ -47,6 +47,8 @@ }, "user": { "auid": "unset", + "id": "0", + "name": "root", "name_map": { "uid": "root" }, diff --git a/auditbeat/module/auditd/_meta/execve.json b/auditbeat/module/auditd/_meta/execve.json index b39ca800360..68aa164b5ff 100644 --- a/auditbeat/module/auditd/_meta/execve.json +++ b/auditbeat/module/auditd/_meta/execve.json @@ -66,17 +66,20 @@ "path": "/bin/uname", "uid": "0" }, + "group": { + "id": "1002" + }, "process": { "args": [ "uname", "-a" ], - "cwd": "/home/andrew_kroh", "executable": "/bin/uname", "name": "uname", - "pid": "10043", - "ppid": "10027", - "title": "uname -a" + "pid": 10043, + "ppid": 10027, + "title": "uname -a", + "working_directory": "/home/andrew_kroh" }, "service": { "type": "auditd" @@ -91,6 +94,7 @@ "fsgid": "1002", "fsuid": "1001", "gid": "1002", + "id": "1001", "sgid": "1002", "suid": "1001", "uid": "1001" diff --git a/auditbeat/module/auditd/_meta/fields.yml b/auditbeat/module/auditd/_meta/fields.yml index 9b0a0af1c6f..0d34e69ca34 100644 --- a/auditbeat/module/auditd/_meta/fields.yml +++ b/auditbeat/module/auditd/_meta/fields.yml @@ -93,7 +93,9 @@ description: Process attributes. fields: - name: cwd - type: keyword + type: alias + path: process.working_directory + migration: true description: The current working directory. - name: source diff --git a/auditbeat/module/auditd/audit_linux.go b/auditbeat/module/auditd/audit_linux.go index b76d39014d8..7ee4536c8ba 100644 --- a/auditbeat/module/auditd/audit_linux.go +++ b/auditbeat/module/auditd/audit_linux.go @@ -486,6 +486,7 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event // Add root level fields. addUser(auditEvent.User, out.RootFields) + addGroup(auditEvent.User, out.RootFields) addProcess(auditEvent.Process, out.RootFields) addFile(auditEvent.File, out.RootFields) addAddress(auditEvent.Source, "source", out.RootFields) @@ -546,6 +547,25 @@ func addUser(u aucoalesce.User, m common.MapStr) { user["name_map"] = u.Names } } + if uid, found := u.IDs["uid"]; found { + user["id"] = uid + } + if uidName, found := u.Names["uid"]; found { + user["name"] = uidName + } +} + +func addGroup(u aucoalesce.User, m common.MapStr) { + group := make(common.MapStr, 2) + if gid, found := u.IDs["gid"]; found { + group["id"] = gid + } + if gidName, found := u.Names["gid"]; found { + group["name"] = gidName + } + if len(group) > 0 { + m.Put("group", group) + } } func addProcess(p aucoalesce.Process, m common.MapStr) { @@ -556,10 +576,14 @@ func addProcess(p aucoalesce.Process, m common.MapStr) { process := common.MapStr{} m.Put("process", process) if p.PID != "" { - process["pid"] = p.PID + if pid, err := strconv.Atoi(p.PID); err == nil { + process["pid"] = pid + } } if p.PPID != "" { - process["ppid"] = p.PPID + if ppid, err := strconv.Atoi(p.PPID); err == nil { + process["ppid"] = ppid + } } if p.Title != "" { process["title"] = p.Title @@ -571,7 +595,7 @@ func addProcess(p aucoalesce.Process, m common.MapStr) { process["executable"] = p.Exe } if p.CWD != "" { - process["cwd"] = p.CWD + process["working_directory"] = p.CWD } if len(p.Args) > 0 { process["args"] = p.Args diff --git a/auditbeat/module/auditd/audit_linux_test.go b/auditbeat/module/auditd/audit_linux_test.go index c8d8fa0b02e..65b3aaf189f 100644 --- a/auditbeat/module/auditd/audit_linux_test.go +++ b/auditbeat/module/auditd/audit_linux_test.go @@ -222,7 +222,7 @@ func assertHasBinCatExecve(t *testing.T, events []mb.Event) { t.Helper() for _, e := range events { - v, err := e.RootFields.GetValue("process.exe") + v, err := e.RootFields.GetValue("process.executable") if err == nil { if exe, ok := v.(string); ok && exe == "/bin/cat" { return diff --git a/auditbeat/module/auditd/fields.go b/auditbeat/module/auditd/fields.go index 68fefd9fe17..5f7d19661be 100644 --- a/auditbeat/module/auditd/fields.go +++ b/auditbeat/module/auditd/fields.go @@ -31,5 +31,5 @@ func init() { // Asset returns asset data func Asset() string { - return "eJzMXUuPJDdyvs+vIHQZCdC05JXhwxwWmJV8aFi2BUtj2DCMGhYzMovTTDKHZFZ17a83go9M5qs6o3q8WB0G6upi8BXxxRfBIPsde4Lre8b7SvrqDWNeegXv2Yf8cwVOWNl5afR79scJHDBugfkTsFqCqhxrQIPlHip2vIbPoyzWmqpX8PCGpS++f/OGsXdM8xbes96BfcMYY/7awXvWWNN34ef8Xfz//GXeyyp8kL/+BNeLsfmzyRCVaaQO4tnjLxMpBCFrzYHQHuoahJdnWJVUO4KoWipg7uo8tKvCKLIcaL8qpNkvI+zUYm0IAsa1WRXlCKIc+HUhNUVKucKr0vDfQ8u7icBRY2fi/pw+ZOyxZp8sOKPOcJCV+8SkC0P2hnnbA5M6mIswupZNbzm2x080+5S7/DQIu0il8KueS804a3nXSd0wU6NeR6sJA3VB/AlY6jl+Ooj5Fh6ah2BQ7N2fmTXGf/eQflla3qrtra/ltv0VHS9tcJewLTFAlDOzxxWJpU3uErmwyxWhVJmjfa4Ia2iyoiavrR1R0Nxe1+ZJFDna7epOEKUt7XeQOgwQlNT98z4D/uME7Pd//hUbMFmB9tJf0c6CaxPe2NsGM3i2ncPnQphee+b6Yys9utHaWMZ7BAIvRUCFWRfWKKCa0Vs3TKponiVWpuVSU2T+kVejEBylMGODgIdZHwrOoF7oAp552yH/cD/u7zYInvcmuIfG2Otr55Tl4KyEaTtufQvau4eSzXTWCHBuldBMevgtfpFx76089h7cwybrEZfdLgwHLnprET8uxj6hZ6ikBZzLdTJSZ3or4OWB/h6+x/yJe+atbBqwUAUTgDNovz3qjvvT/mFLh04RxWI7xp0zQgYueZH4M+u1fGbOiCfwk3lU4LzUo3HcnMwv45cZryqLO/B3O7OBie/jxg6+9KAFTEamjG5ucxPUmNyU6b49gs0YF5aBcYdjlo0eef0TWA3qgf0+7ZKl9i4EBs4bXE9sznqp/U9/yjwnNmdcV0xwjSikzBkSmo7TcW4EvBfXeT6h0Jg9/jKO3RvGIyl5YB+UirNzzIIKmzH+epCUpQTGdeLnGOw43gI7c9XDdMAWXK/8jfGOkNaLYPvGsppLtWXHUeDgcFAboGKmg0QQv01yfkAh3wXVKRlH2/IB9JaOboPjIU7MgLJstQWTWcMDZVkxqDD40qyWQygxVBZD30bsTQ3IWpAEbfjuiWlmsDdWNlJzNdME/O/xlwf26KMyaOOZOHHdRCNhsh6nHz8P7Jtr409gs2d/WEzVgTC6umOyUclT4xcneO2k4EpdJ/MZdJkndIqr9T2DZwGdD+TjgjHIMLMTd/g/Ffvk+k9zN2uOn0H4/bpTble5E/4UohmbBLIj4M9coO73ndEZRHYqE47jdZr0ofxlXuFL0PETsG/CeL/B0ceICkno9wnOv58IwjV8lzDlu6Uu3Kn233zz9bRqkJUlncyFQpsWexp/ewSHkrJqBkjljnVga2NbqB7YR9ejfuLmD4oAz+XGRdLVos8I+IIComrAM4g+IPimI194b7cvAPhVuoC/ocnCcy+0cB1TpTYViaSHBsmVztk5nCmSKjhL9OrJymvT6wrt54dRTmG+B2rAslAXFEINSVaF0KOQVTF7Ao0XpUwQ5C4Z9yQUzEWDnaToCqZBVANU1KQK0VPUEiz71nUgJFehP8eMVtfvZh3hv9TpP0ldoc3EWQxkJdqqhRosMsZqvkb3hPpxjSaZusLsPLQUiZeTFKfQCgEoD1cYWy0G2xINGr/PasUbXGXGw+BXVpo8/2DXUjN+Fm6KcRX3fB/EIZHAb7Pamrbgai04x5scld7giyNH3zVwDb6WyoNlHUcXySrpOuPkSnKjlXpBRvfAXWi3jp9cLCjK7ZRMzpjk3MxKmgrjSKo1WmiNh1kImmmWdEwYrUF41EHcl1mPQnYnGlIHTTE1E/baeZMEMAcKkFfNLYdkiVVvI0GLC5TY70wkaG/l8Om+IQ+haGqcid+oQZ4fF4aE8EPpxoE9YzeWCSUx3JU6r9IAXvMunPwrDRLhyrBNoNQvCHfdHZnilHVagiC34kTVTVB1aCc9CN/bhFwLwY2gCh53lNumD7mzGCQFCncOqVsMU+YwwD/fBwPYbh0Gei1JMBBzylXZbogvCh0kAmBouoYoHmyLQShpgVObaOollthea7TQzprG8hZ90Ky/xnLtjSWZZ8fbdK7rGO86a87Yx8jw58Q15CCJvmJoVEDXlt2YjqqOc24yhCMRjqXLKZf57nhSKtn7K+uTStK2ZWoOexUVm2RTkzod2oyBfMzpGRGSxPOpFbRhX5r8j/9mHp7nNlHzVirSIhWswBpvhFmCAAlukrL864efGVeNsdKf2i1319U0xQcbVrQ29sJthcG2BXFlLfiTWbhSDy1J+hQnQ8I4klA3yXvM0fjHVwUo/B9e1/xPr2v+06uan4zzVPaM65jbUcmX6owlOQ9lBMIy+IuxT6xoPYRzVImJPWKzdf8Gz2T/FmAD2zExRjeDQZPANRkfsp5a6iYYtVzorKLy5uk6Juq8YE93bc72Sgre8aNUkob5GNA8j23lgg9rbptX4MKUP6VkI1vhThou70AjzyCRSg2XgO0pbR8FMAcejWJuvvidw5GLJ2Wag5ItTfViF5FgvXUsyWFfeuiBFUS7IBJ0CmHsdY1nCd4daMmNTLTHUohRQdhYGFQmCmj+G0RvgyxsmYhJSLlj6HCWC+zQcDl0JOvEvc3T6JA0hkqDm9MwqrpHizoLITrZq0mGWmEUTwjeupVSv8ngSTJVFQ/3ZmKOXGugUeTUJO6f0REFoWIdbxYACxxDLVpQGQ5RU8ukKjH6nrOQc/tO+Gcq3JzRHoXRSPCY83Zlw4ix6rBfm/GqA1RJ0irn8oygy+FsxRV2s5A/OaUldfDhP39mFQgZjoRDyATVDxVouegFUdcOq0XO1JuaWd3kg6+qQuu3pmWcnedkBC1TA2k62SoDN075p/KMfNGHkw2cD/gFQ4Iy2YRwdM2rSpqoGwciRlUH0LWxQtIWHO0clyA2BvSmzHnu+7mrxiU+i66/Z41Hj/3zbx+ZMHZBBCzaK0X0UMHFUglXIaCoRKDRyZt1BtMyg7n3ryoitRiWBB1RPHqowK8FZjUnJfATC8o6PQlCB8tU+ukdEbU6WcXheiX1U05bO9DVQhtdf/xMYp+u60KjCIs3wZb/z4/vfvpfKojPmeJqhk1Mj+l3ZX/8CSXGlhiauqur58odXRTdqb117Aw24Oy60QvTklTDjCscj5CV1KuZN0RuIp6WOJog+xaaZjd1Jln9UIUa0gCjjPIoathNxR3V/mONX2h5e/ih8JG0PtIdYqOD5+5pWiU1WLqkSAxnX8MopT6BlS9y2CkzIkJVahzhas7xHcnvxDrAqzK8miBuSvPMo52vnhpADXdAPelHrM46WLQd/fmZK1kdEoDdo9nTpsP8iXm/NP3CJucj7Z6pBv74238NWYd1NkMMW2QnRkRaD1paLkIilCIW/AnR02cPhU3Y4y/x5HaOoHf4qVSPddNJSaJvffwt5Jwby1tWW94EGjbWKKzoLi1ZW94IKPn0GrSdWyozCBHSZiwTsgskYMuidkIaMlNqyNxZOEvTu3jxZy3QNY7GHgdNHmtu5+hOr+zIn2wd4EliucjE5DYKRlC7KumeSGGbdE8vKlbH7Ziy3+0kyqAne4ooaa1+RAHpZE2BboYa9mHna8VpMVQHesgdr50S90Tt5Ozjx6UdEattHAgkHLnScCWdHaKAxhLTZpH+p3tFG7niAy1THnR9ZxIO1bOllTSh1+ZtKMswNWuhNfaK/PFf/jKPW0La5R63PWZdkhlUIGQV8l2zPu6K0nEGu6J0XB1x4tTKOJSPzbjwYHMSZgeLR+j9Whke5CznWzme3suaZJa9Z1J7sDUXG2kT0ZLsModN04LbmcyTMSTsHM98sWU8hkvUReAirZy94S6Tazpxj22vJ7fOBsWn+s+Q1rmVbnaSpBW3smTTk5ULl/7gJe2gc+N0BWWxQtbgqUKGmhQZpCZrwTQaCRGxcuJsF2pRMSu+VJARtwStlUyxURWRvRlVURkcQtkd+1lxaINnK6+Lx8AaZ1NKHTiYsS0tbo9dKdO8ddPW5dETkYahKWb2NYPZmXB/RygZbo9w24APF3nKrM+NkKXlpFDo5eKyC/e0ortpLW9sv5EOCJ3f6XVmsoj8Z/OW9tEYGhwnB5gZBLYHPmcLUrTdwRNLz0PEa+rQOBcwryitMoLoqC4xUgpl7em8rRAygYzRae11grEsxJpWOtEjThQ0fKxbJq0xj/cLQ905co2c4LvJaSSVD5d1GKEqYeY/JmfUJCgtz6h3QmkFNe+Vf3cHbqSmgWiup6FCLEYFuwHoUvAWhCAyXfRqZgOdfMedu5AhNSpnbWw4ag8yjK0Qu5sl3oXdIFasXqiFD7nU7p7tyJw/o3aptNNLwZPA60zjLWVmqCzUuX3yUETeNGhfbAJxSaKxbec1i9KQfQct6ZYOtuu5kn/ddUsnpLRoB0X0ShPykWgmjcOrFutHopaYSU6YeZOmhJN+6njLZPraWM3x82uwZnIRd2T2xGxy4ZjW6nFxo16RLJvEvAtPFAOfmktFrImZhTtJwtohmdS0mFrql0LqM8nvJ7tjLRenjbPIMqG2S2bb8u5mOi7kvYin6sOxd9KDzTKMV2fmb+sE9kDMTA+5boewvpLqdvCFWNMyfSdjvmF/Exf05Xj1tHUYk9+Ofen58FJAKWhcEurR4LwgJaRFint2EydNd56D99/JPBCRqeU6CMgvl+qgBpKTT0ZVm8mnEC+QvGmZYtjpUStqmXU6Qn38bYNpBBdNvOO98NDLd6ekEV4R05LxkZQvPTg/FLrkR++CvI16F0c8VY5F4tvki3cdty3tklpuky7kSB1zLEty+zewGVSlQ8tp3nyeScP28ycYcjJj7c4KEcxjznXzjDGgC72KZO9J6/Hz4Z4HC28QMgvc0W7DFSksVoE2IdfHk6AQ/W3evlPSkTNpcy4VU/UoabsSk5pZybiwJ7ty7GnXh1OayfXHzDJ6F45XSmqvjG4cG5jxBJlJdlciM8FTUYF0EjosQfT/KfvUW5JlffyPR9YZqYOChrLD9bxQpPl3XCwoVdO9delawQ+VdOFG7WYZ730ZlqmS7syyRLpK5VJzP7lSatXRJKp8SuuM5sU1pgGF78yz7yxa9eRixDGBn8qNUICs15+/JBLu8vTkpRpTDaSXj6JyxEDGQXhFYHqnYxgy7Vp3eFJbiiR/7QWirQvRsm3uvvURInXZ8gZeuACiqntO3bOaL07eXzpzPxBXL7+EOfiX24cOqdCd0sPlFMruok2k0PvCXRZV94oZy7RZzyjfzyleSiinYJrkDIYIqAIFfqPcNVbZz+RO68c33/Ura1m3hrRC8Yti1pUX9CbxDUGq5Zf5lQHnbR+evFh2c3cvk4delnJnV+W3JQ+PR/ZaPt/qMc0pCmbf4te/Z7I7/2P495++zxmdtRfoxndNCZOkvW9a9pffGHpT9ld4o0lH49tyHzQztgoBhkoPtPm0oVkisyBADtmk4tFRjFAGSRewEK/neYNIFxUgvkJXGRECyvSMYnxXXboBvGQdXi6xtoj78rMKmQrmJzHCA0vGYptPUgvVV3Cw/HJIw83vwQ9yJu/BT9fswq2Wupmu2XSPNpYNlSO3Xv6phr8A9/ktn9R3XI3i0cPZk4vj34BIzCsIy6dpXFfhd8Pt1QrOoEwXgnT8ZQXHfqyV6XrbGZfeIZs8g9uASUeTc7BZnShOMzTJf5UiDBBqqfNjtMLoM2gZEnlSM8EdsKvpU+naGA2AtlKcxg3sXYy4svQQEEnNfjWN89ydcIcfdQPOs38zFSzfDy5rGpEdg/YHTXy6YPrE4lhPlvYsSl08gS399ev2JP113omFRhr9VbuJIhezMb329nqQzhyoxaFlbz9HOezx938PVaKLZ8rNhHQO+gfmEMKbffPBEFP6voKg9Ir78MPDm/8LAAD//12fq4o=" + return "eJzMXUuPHDlyvutXEHPRDCD1jHcMH3RYQDvyoeGxLXgkw4ZhlNjMyCyqmWSKZFZ17a83go9M5qs6o1pe7ByE6epi8BXxxRfBIPste4TLO8b7SvrqFWNeegXv2Pv8cwVOWNl5afQ79ukIDhi3wPwRWC1BVY41oMFyDxV7uITPoyzWmqpXcPeKpS++e/WKsbdM8xbesd6BfcUYY/7SwTvWWNN34ef8Xfz//GXeyyp8kL/+CJezsfmzyRCVaaQO4tn9h4kUgpC15kBoD3UNwssTrEqqHUFULRUwd3Ee2lVhFFkOtF8V0uyXEXZqsTYEAeParIpyBFEO/LqQmiKlXOFVafjvoeXdROCosTNxf04fMnZfsy8WnFEnOMjKfWHShSF7w7ztgUkdzEUYXcumtxzb4yeafcldfhmEnaVS+FXPpWactbzrpG6YqVGvo9WEgbog/ggs9Rw/HcT8CHfNXTAo9vbPzBrjf7pLvywtb9X21tdy2/6Kjpc2uEvYlhggypnZ44rE0iZ3iVzY5YpQqszRPleENTRZUZPX1o4oaG6va/MkihztdnUniNKW9jtIHQYISur+aZ8BfzoC++Off8cGTFagvfQXtLPg2oQ39rrBDJ5t5/C5EKbXnrn+oZUe3WhtLOM9AoGXIqDCrAtrFFDN6LUbJlU0zxIr03KpKTI/5dUoBEcpzNgg4G7Wh4ITqGe6gCfedsg/3C/7uw2C570J7qEx9vLSOWU5OCth2o5b34L27q5kM501ApxbJTSTHj7GLzLuvZUPvQd3t8l6xHnqwriS3KVPOu6PQ7d3Z2MfpW4OlbSAw8+TbmUTvcq74HC2lF301iLyJDFsEDOZozO9FfD8FP8I32P+yD3zVjYNWKiC8cAJtN+eL85pr8/+dJQO3SmKxXaMO2eEDCz0LPFn1mv5xJwRj+An86jAealHs7o6mQ/jlxmvKot793c7s4HD72PVDr71oAVMRqaMbq6zGtSY3JTpvn0Am9ExLAPjDscsGz1GBI9gNag79se0S5bauxBSOG9wPbE566X2v/4pM6TYnHFdMcE14pcyJ0g4PE7HuREqn13n+YRCY3b/YRy7N4xHOnPH3isVZ+eYBRU2Y/z1IClLCVztyE8xTHK8BXbiqofpgC24Xvkr4x3BsBcBNYxlNZdqy46jwMFVoTZAxUwHiVr+mOT8jEJ+CqpTcpW25QNyLF3kBjtEnJhBbNlqC2Czhgeys2JQYfClWS2HUKKvLIa+jfWbGpC1IAna8PoT08xuwljZSM3VTBPwv/sPd+zeR2XQxjNx5LqJRsJkPU4/fh54O9fGH8FmTnC3mKoDYXR1w2SjkqfGz07w0knBlbpM5jPoMk/oFFfrDYMnAZ0PtOWM0cswsyN3+D8V++L6L3MHbR6+gvD7dafcrnIn/DHEQTYJZA+AP3OBut93RmcQ2alMOI6XadL78pd5hc9Bx4/Afgjj/QFHH2MxpK9vEpy/mQjCNXybMOWnpS7cqPY//PD9tGqQlSUdzZlCuBZ7Gn/7AA4lZdUMkMod68DWxrZQ3bHPrkf9xM0fFAGeyo2LdK1FnxHwBQVE1YAnEH1A8E1HvvDebl/o8Lt0AX9Dk4XnXmjhOqZKbSoSvQ8Nkiud83o4USRVcJLo1ZOV16bXFdrPz6OcwnwP1FBnoS4ohBrMrAqhxy+rYvaEKM9KmSDITTJuSUWYswY7Se4VTIOoBqioSRWip6glWPaj60BIrkJ/jhmtLj/NOsJ/qdN/lLpCm4mzGMhKtFULNVhkjNV8jW5JEsQ1muT4CrPz0FIkno9SHEMrBKA8XGFstRhsSzRo/D6rFW9wlRkPg19ZafL8g11LzfhJuCnGVdzzfRCHRAK/zWpr2oKrteAcb3I8e4Uvjhx918A1+FoqD5Z1HF0kq6TrjJMraZFW6gUZ3QN3od06fnKxoCjXkzk515KzOisJLowjqdZooTUeZiFoplnSMWG0BuFRB3FfZj0K2R1pSB00xdRM2EvnTRLAHChAXjW3HJIlVr2NBC0uUGK/M5GgvZXDp/uGPISiqXEmfqMGef6wMCSEH0o3DuwJu7FMKInhrtR5lQbwmnfh5F9pkAgXhm0CpX5GuOtuyDGnxNESBLkVR6pugqpDO+lB+N4m5FoIbgRV8Lij3DZ9yLrFIClQuFNI+mKYMocB/vU2GMB26zDQa0mCgZiNrsp2Q3xR6CARAEPTNUTxYFsMQkkLnNpEUy+xxPZao4V21jSWt+iDZv01lmtvLMk8O96mE2HHeNdZc8I+RoY/J64hB0n0FUOjArq27MZ0VHWcc5MhHIlwLF1Oucx3x5OS0N5fWJ9UkrYtU3PYq6jYJJua1Om4ZwzkY07PiJAknk+toA37Euyf/pt5eJrbRM1bqUiLVLACa7wRZgkCJLhJyvKv739jXDXGSn9st9xdV9MUH2xY0drYM7cVBtsWxIW14I9m4Uo9tCTpU5wMCeNIQt0k7zFH419eFKDwf3hZ8z+9rPmvL2p+NM5T2TOuY25HJV+qM5bkPJQRCMvgz8Y+sqL1EM5RJSb2iM3W/Rs8kf1bgA1sx8QY3QwGTQLXZHzIemqpm2DUcqGzisqbp+uYqPOCPd20OdsrKXjHH6SSNMzHgOZpbCsXfFhz27wAF6b8KSUb2Qp30nB+Cxp5BolUajgHbE9p+yiAOfBoFHPzxe8cHrh4VKY5KNnSVC92EQnWa8eSHPathx5YQbQLIkGnEMZe1niW4N2BltzIRHssohgVhI0lRWWigOa/QfQ2yMKWiZiElDuGDie5wA4N50NHsk7c2zyNDkljqFG4Og2jqlu0qLMQopO9mmSotUnxhOC1WykSnAyeJFNV8XBvJuaBaw00ipyaxP0zOqIgVKzjzQJggWOoRQsqwyFqaplUJUbfcxZyat8K/0SFmxPaozAaCR5z3q5sGDFWHfZrM151gCpJWuVc2BF0OZytuMJuFvInp7SkDt7/52+sAiHDkXAImaD6uQItF70g6tphtciZelMzq5t88FVVaP3WtIyz05yMoGVqIE0nW2Xgxin/VJ6RL/pwsoHTAb9gSFAmmxCOrnlVSRN15UDEqOoAujZWSNqCo53jEsTGgN6UOc99P3fVuMQn0fW3rPHosX/7+JkJYxdEwKK9UkQPtV8sFX8VAopKBBqdvFpnMC0zmHv/qiJSi2FJ0BHFo4cK/FpgVnNSAj+xoKzTkyB0sEylH98SUauTVRyuV1I/5rS1A10ttNH1D19J7NN1XWgUYfEq2PL/+eXtr/9LBfE5U1zNsInpMf2u7I8/osTYEkNTd3H1XLmji6I7tdeOncAGnF03emFakmqYcYXjEbKSejXzhshNxNMSRxNkX0PT7KZOJKsf6ldDGmCUUR5FDbupuKPaf6zxCy2vDz+UTJLWR7pDbHTw3D1Oq6QGS5cUieHsaxil1Eew8lkOO2VGRKhKjSNczTm+I/mdWAd4UYZXE8RNaZ55tPPdUwOo4Q6oJ/2I1VkHi7ajPz9xJatDArBbNHvadJg/Me+Xpl/Y5Hyk3RPVwO8//teQdVhnM8SwRXZiRKT1oKXlIiRCKWLBHxE9ffZQ2ITdf4gnt3MEvcFPpXqsq05KEn3r/ceQc24sb1lteRNo2FijsKK7tGRteZeg5NNr0HZqqcwgREibsUzILpCALYvaCWnITKkhc2fhJE3v4pWhtUDXOBp7HDR5rLmdozu9siN/snWAJ4nlIhOT2ygYQe2qpHskhW3SPT6rWB23Y8p+t5Mog57sKaKktfoRBaSTNQW6GWrYh52vFafFUB3oIXe8dkrcE7WTs8+fl3ZErLZxIJBw5ErDlXR2iAIaS0ybRfqfbiRt5IoPtEx50PWdSThUz5ZW0oRem7ehLMPUrIXW2Avyx3/5yzxuCWmXW9z2mHVJZlCBkFXId836uClKxxnsitJxdcSRUyvjUD4248KDzUmYHSweofd7ZXiQs5yu5Xh6L2uSWfaeSe3B1lxspE1ES7LLHDZNC25nMo/GkLBzPPPFlvEYLlEXgYu0cvaGu0yu6cQ9tr2e3FcbFJ/qP0Na51q62UmSVlzLkk1PVs5c+oOXtIPOjdMVlMUKWYOnChlqUmSQmqwF02gkRMTKibNdqEXFrPjGQUbcErRWMsVGVUT2ZlRFZXAIZTfsZ8WhDZ6tvGgeA2ucTSl14GDGtrS4PXalTPPaTVuXR09EGoammNnXDGZnwv0NoWS4PcJtAz5c5CmzPldClpaTQqHni8vO3NOK7qa1vLH9RjogdH6j15nJIvKfzfvdD8bQ4Dg5wMwgsD3wOVuQou0Onlh6HiJeU4fGuYB5RWmVEURHdY6RUihrT+dthZAJZIxOa68TjGUh1rTSiR5xoqDhY90yaY15vF8Y6s6Ra+QE31VOI6l8uKzDCFUJM/8xOaMmQWl5Rr0TSiuoea/82xtwIzUNRHM9DRViMSrYDUCXgrcgBJHprFczG+jkO+7cmQypUTlrY8NRe5BhbIXY3SzxLuwGsWL1TC18yKV2t2xH5vwZtUulnV4KngReJxpvKTNDZaHO9ZOHIvKmQftiE4hLEo1tO69ZlIbsO2hJt3SwXc+V/OuuWzohpUU7KKJXmpCPRDNpHN7DWD8StcRMcsLMqzQlnPRTx1sm09fGah6+vgRrJhdxR2ZPzCYXjmmtHhc36gXJsknMu/BEMfCpuVTEmphZuJMkrB2SSU2LqaV+LqQ+kfx+sjvWcnHcOIssE2q7ZLYt766m40Lei3iqPhx7Jz3YLMN4cWb+uk5gD8TM9JDrdgjrK6luB9+INS3TdzLmG/Y3cUHfHi6etg5j8tuxbz0fXgooBY1LQj0anBekhLRIcc9u4qTpznPw/juZByIytVwHAfn5Uh3UQHLyyahqM/kU4gWSNy1TDDs9akUts05HqPcfN5hGcNHEO94LD718sUoa4RUxLRkfSfnWg/NDoUt+Li/I26h3ccRT5Vgkvk2+eNdx29IuqeU26UKO1DHHsiS3fwObQVU6tJzmzeeZNGw/f4IhJzPW7qwQwTzmXDfPGAO60KtI9p60Pnw93PLU4RVCZoE72m24IoXFKtAm5Pp4EhSiv83bd0o6ciZtzqViqh4lbVdiUjMrGRf2ZFceetr14ZRmcv1DZhm9C8crJbVXRjeODcx4gswkuyuRmeCpqEA6CR2WIPr/lH3qLcmyPv/HPeuM1EFBQ9nhel4o0vwbLhaUquleu3St4OdKunCjdrOM97YMy1RJd2ZZIl2lcqm5n1wptepoElU+pXVG8+Ia04DCN+bZdxatenIx4pjAT+VGKEDW6w9nEgl3eXryXI2pBtLLR1E5YiDjILwiML3TMQyZdq07PMYtRZK/9gLR1oVo2TY33/oIkbpseQPPXABR1S2n7lnNFyfvz525H4irl1/CHPzL9UOHVOhO6eF8DGV30SZS6H3mLouqe8WMZdqsZ5Rv5xTPJZRTME1yBkMEVIECv1HuGqvsZ3Kn9eOb7/qVtaxbQ1qh+EUx68oLepP4hiDV8vP8yoDztg9PXiy7ubmXyUMvS7mzq/LbkofHI3stn671mOYUBbMf8etvmOxO/xj+/ac3OaOz9gLd+K4pYZK0903L/vIbQ6/K/gpvNOlofFvuvWbGViHAUOmBNp82NEtkFgTIIZtUPDqKEcog6QwW4vU8bxDpogLEV+gqI0JAmZ5RjC+ySzeAl6zDyyXWFnFfflYhU8H8JEZ4YMlYbPNFaqH6Cg6Wnw9puPkl+UHO5CX56ZqdudVSN9M1m+7RxrKhcuTWyz/y8BfgPr/lk/qOq1E8ejh7cnH86xGJeQVh+TSN6yr8bri9WsEJlOlCkI6/rOChH2tlut52xqV3yCbP4DZg0tHkHGxWJ4rTDE3y37MIA4Ra6vwYrTD6BFqGRJ7UTHAH7GL6VLo2RgOgrRTHcQN7FyOuLD0ERFKz303jPHdH3OF73YDz7N9MBcv3g8uaRmTHoP1BE58umD6xONaTpT2LUhePZ0t/+b49SX+Zd2KhkUZ/126iyMVsTK+9vRykMwdqcWjZ229RDrv/499DlejigXMzIZ2D/oE5hPBm33wwxJS+ryAoveI+/HD36v8CAAD//8MuvnA=" } diff --git a/auditbeat/module/file_integrity/_meta/data.json b/auditbeat/module/file_integrity/_meta/data.json index 1ba2b794d30..e9c40c7997d 100644 --- a/auditbeat/module/file_integrity/_meta/data.json +++ b/auditbeat/module/file_integrity/_meta/data.json @@ -9,22 +9,26 @@ "created", "updated" ], + "dataset": "file", "module": "file_integrity" }, "file": { - "ctime": "2018-01-05T03:28:26Z", - "gid": 20, + "ctime": "2019-01-19T15:21:37.939882147Z", + "gid": "20", "group": "staff", - "inode": "20164115", + "inode": "8028777", "mode": "0600", - "mtime": "2018-01-05T03:28:26Z", + "mtime": "2019-01-19T15:21:37.939882147Z", "owner": "akroh", - "path": "/private/var/folders/8x/rnyk6yxn6w97lddn3bs02gf00000gn/T/audit-file864778064/file.data", + "path": "/private/var/folders/kx/7y5ztvx100z148jvds11c6rh0000gn/T/audit-file418060202/file.data", "size": 11, "type": "file", - "uid": 501 + "uid": "501" }, "hash": { "sha1": "2aae6c35c94fcfb415dbe95f408b9ce91ee846ed" + }, + "service": { + "type": "file_integrity" } } \ No newline at end of file diff --git a/auditbeat/module/file_integrity/event.go b/auditbeat/module/file_integrity/event.go index 3c2fd6dffe9..27178b18539 100644 --- a/auditbeat/module/file_integrity/event.go +++ b/auditbeat/module/file_integrity/event.go @@ -249,8 +249,8 @@ func buildMetricbeatEvent(e *Event, existedBefore bool) mb.Event { file["uid"] = info.SID } } else { - file["uid"] = info.UID - file["gid"] = info.GID + file["uid"] = strconv.Itoa(int(info.UID)) + file["gid"] = strconv.Itoa(int(info.GID)) file["mode"] = fmt.Sprintf("%#04o", uint32(info.Mode)) } diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml index b64f2c70621..148939a0a55 100644 --- a/dev-tools/ecs-migration.yml +++ b/dev-tools/ecs-migration.yml @@ -799,6 +799,10 @@ to: process.executable alias: true +- from: process.cwd + to: process.working_directory + alias: true + # Metricbeat