Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changed auditd fields for ECS #10195

Merged
merged 2 commits into from
Jan 21, 2019
Merged

Changed auditd fields for ECS #10195

merged 2 commits into from
Jan 21, 2019

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Jan 19, 2019
edited
Loading

  • Rename process.cwd to process.working_directory in auditd module.
  • Change data type of process.pid and process.ppid to number in JSON output of auditd module.
  • Add user.id (same as UID) and user.name.
  • Add group.id (same as GID) and group.name.
  • Change file.uid and file.gid to string in JSON output for the FIM module.

Issue #10111

@andrewkroh andrewkroh requested a review from webmat January 19, 2019 15:12
@andrewkroh andrewkroh requested review from a team as code owners January 19, 2019 15:12
@andrewkroh
Changed auditd fields for ECS
7f3c1dd 
- Rename `process.cwd` to `process.working_directory` in auditd module.
- Change data type of `process.pid` and `process.ppid` to number in JSON output.
- Add user.id (same as UID) and user.name.
- Add group.id (same as GID) and group.name.

Issue elastic#10111
@andrewkroh andrewkroh force-pushed the feature/ab/ecs-auditd-fields branch from b2ac61c to 7f3c1dd Compare January 19, 2019 15:13
@andrewkroh
Change file.uid/file.gid to string in JSON output
3537491 
The JSON data type was number but ECS says it should be a keyword which is a JSON string.

Fixes elastic#9607
ruflin
ruflin approved these changes Jan 21, 2019
View reviewed changes
Copy link
Contributor

@ruflin ruflin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI failure is not related.

@cwurm
Copy link
Contributor

cwurm commented Jan 21, 2019

My proposal in #10111 (comment) of a nested structure for user received some approval and no objections. Should we put it in place then, either in this PR or in a follow-up (I'm happy to do it)?

webmat
webmat reviewed Jan 21, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall.

But as @cwurm is suggesting, what do you think about trying the proposed nesting for user/group? Most recent and clear example of it is in this comment

auditbeat/docs/breaking.asciidoc
|`process.pid` |string |number
|`process.ppid` |string |number
|======================

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love this file. All Beats should have that!

cc @ruflin

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm hoping to generate something like this out of our migration file.

@andrewkroh
Copy link
Member Author

Should we put it in place then, either in this PR or in a follow-up (I'm happy to do it)?

@cwurm Can you take on the additional user related changes? Thanks!

@andrewkroh andrewkroh merged commit 76a7c09 into elastic:master Jan 21, 2019
@cwurm cwurm mentioned this pull request Jan 31, 2019
Merged
@adriansr adriansr mentioned this pull request Jan 17, 2020
Closed
@thomaspatzke thomaspatzke mentioned this pull request Mar 17, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ruflin ruflin ruflin approved these changes

@webmat webmat webmat left review comments

Assignees
No one assigned
Labels
Auditbeat ecs review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@andrewkroh @cwurm @webmat @ruflin