Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat] Host: Fill top-level host fields #12259

Merged
merged 5 commits into from
May 28, 2019
Merged

[Auditbeat] Host: Fill top-level host fields #12259

merged 5 commits into from
May 28, 2019

Conversation

cwurm
Copy link
Contributor

@cwurm cwurm commented May 23, 2019

As of now, the Auditbeat system/host dataset puts all its fields under system.audit.host.*, making its output hard to use together with the data usually added by the add_host_metadata processor in the top-level host object.

With this PR, the dataset copies its fields to host.* so those are always filled.

Most importantly, add_host_metadata does not fill host.ip and host.mac by default. They will now always be filled by this dataset.

I also added system.audit.host.os.codename to complete what the processor adds.

@cwurm cwurm requested review from a team as code owners May 23, 2019 21:45
@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

@cwurm cwurm removed the request for review from a team May 23, 2019 21:45
@cwurm
Copy link
Contributor Author

cwurm commented May 23, 2019

Test failure will be fixed by #12261.

@cwurm cwurm mentioned this pull request May 24, 2019
Merged
@cwurm cwurm force-pushed the host_fill_ip_mac branch from d9eb134 to f40a395 Compare May 24, 2019 16:14
andrewkroh
andrewkroh approved these changes May 24, 2019
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

x-pack/auditbeat/module/system/host/host.go
RootFields: common.MapStr{
"event": common.MapStr{
"kind": eventType,
"action": action.String(),
},
"message": hostMessage(host, action),
},
MetricSetFields: host.toMapStr(),
}
MetricSetFields: hostFields,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it weren't a breaking change I'd suggest not duplicating values between host.* and system.host.*.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed

@cwurm cwurm merged commit 5502f4e into elastic:master May 28, 2019
@cwurm cwurm deleted the host_fill_ip_mac branch May 28, 2019 19:39
cwurm pushed a commit to cwurm/beats that referenced this pull request May 28, 2019
[Auditbeat] Host: Fill top-level host fields (elastic#12259)
77532f8 
Copy fields of `system/host` dataset to `host.*` so those are always filled.

Also add `system.audit.host.os.codename` to complete what `add_host_metadata` adds.

(cherry picked from commit 5502f4e)
@cwurm cwurm mentioned this pull request May 28, 2019
Merged
@cwurm cwurm added the v7.2.0 label May 28, 2019
cwurm pushed a commit that referenced this pull request May 29, 2019
[Auditbeat] Cherry-pick #12259 to 7.2: Host: Fill top-level host fiel…
de51268 
…ds (#12316)

Copy fields of `system/host` dataset to `host.*` so those are always filled.

Also add `system.audit.host.os.codename` to complete what `add_host_metadata` adds.

(cherry picked from commit 5502f4e)
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
[Auditbeat] Cherry-pick elastic#12259 to 7.2: Host: Fill top-level ho…
0f6fc6e 
…st fields (elastic#12316)

Copy fields of `system/host` dataset to `host.*` so those are always filled.

Also add `system.audit.host.os.codename` to complete what `add_host_metadata` adds.

(cherry picked from commit f6cebc1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
Auditbeat review v7.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cwurm @elasticmachine @andrewkroh