From 1b5a6a67338d5c82fbbba583f63d6cdc4921c6d2 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 27 Apr 2020 22:59:06 -0400 Subject: [PATCH 1/5] [Auditbeat] Add ECS categories for system-host module --- x-pack/auditbeat/module/system/host/host.go | 23 +++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/x-pack/auditbeat/module/system/host/host.go b/x-pack/auditbeat/module/system/host/host.go index 540848f8a02..9aa0f7fb2e7 100644 --- a/x-pack/auditbeat/module/system/host/host.go +++ b/x-pack/auditbeat/module/system/host/host.go @@ -67,6 +67,23 @@ func (action eventAction) String() string { } } +func (action eventAction) Type() string { + switch action { + case eventActionHost: + return "info" + case eventActionIDChanged: + return "change" + case eventActionReboot: + return "start" + case eventActionHostnameChanged: + return "change" + case eventActionHostChanged: + return "change" + default: + return "info" + } +} + // Host represents information about a host. type Host struct { Info types.HostInfo @@ -322,8 +339,10 @@ func hostEvent(host *Host, eventType string, action eventAction) mb.Event { event := mb.Event{ RootFields: common.MapStr{ "event": common.MapStr{ - "kind": eventType, - "action": action.String(), + "kind": eventType, + "category": []string{"host"}, + "type": []string{action.Type()}, + "action": action.String(), }, "message": hostMessage(host, action), }, From 924b7c51500d360754f8594bbe45c221e887776f Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 27 Apr 2020 23:14:44 -0400 Subject: [PATCH 2/5] Add changelog entry --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b1f70eea949..29300bdc51f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -210,6 +210,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Log to stderr when running using reference kubernetes manifests. {pull}17443[174443] - Fix syscall kprobe arguments for 32-bit systems in socket module. {pull}17500[17500] - Fix memory leak on when we miss socket close kprobe events. {pull}17500[17500] +- Add ECS categories for system module host dataset. {pull}18031[18031] *Filebeat* From b430aa7914dde7ab369a1039549a40c0a41a2ebf Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 4 May 2020 23:36:56 -0400 Subject: [PATCH 3/5] Add host.name --- x-pack/auditbeat/module/system/host/host.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/x-pack/auditbeat/module/system/host/host.go b/x-pack/auditbeat/module/system/host/host.go index 9aa0f7fb2e7..2edd33cc804 100644 --- a/x-pack/auditbeat/module/system/host/host.go +++ b/x-pack/auditbeat/module/system/host/host.go @@ -123,6 +123,7 @@ func (host *Host) toMapStr() common.MapStr { "timezone.name": host.Info.Timezone, "timezone.offset.sec": host.Info.TimezoneOffsetSec, "hostname": host.Info.Hostname, + "name": host.Info.Hostname, "id": host.Info.UniqueID, "architecture": host.Info.Architecture, @@ -354,6 +355,7 @@ func hostEvent(host *Host, eventType string, action eventAction) mb.Event { hostFields.CopyFieldsTo(hostTopLevel, "architecture") hostFields.CopyFieldsTo(hostTopLevel, "containerized") hostFields.CopyFieldsTo(hostTopLevel, "hostname") + hostFields.CopyFieldsTo(hostTopLevel, "name") hostFields.CopyFieldsTo(hostTopLevel, "id") hostFields.CopyFieldsTo(hostTopLevel, "ip") hostFields.CopyFieldsTo(hostTopLevel, "mac") From edaf05ec54047953671c43acc6f648c698921dbb Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 5 May 2020 03:00:36 -0400 Subject: [PATCH 4/5] Add host.name to ECS-only fields --- x-pack/auditbeat/module/system/host/host.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/auditbeat/module/system/host/host.go b/x-pack/auditbeat/module/system/host/host.go index 2edd33cc804..757fec1eb4d 100644 --- a/x-pack/auditbeat/module/system/host/host.go +++ b/x-pack/auditbeat/module/system/host/host.go @@ -123,7 +123,6 @@ func (host *Host) toMapStr() common.MapStr { "timezone.name": host.Info.Timezone, "timezone.offset.sec": host.Info.TimezoneOffsetSec, "hostname": host.Info.Hostname, - "name": host.Info.Hostname, "id": host.Info.UniqueID, "architecture": host.Info.Architecture, @@ -351,11 +350,12 @@ func hostEvent(host *Host, eventType string, action eventAction) mb.Event { } // Copy select host.* fields in case add_host_metadata is not configured. - hostTopLevel := common.MapStr{} + hostTopLevel := common.MapStr{ + "name": host.Hostname, + } hostFields.CopyFieldsTo(hostTopLevel, "architecture") hostFields.CopyFieldsTo(hostTopLevel, "containerized") hostFields.CopyFieldsTo(hostTopLevel, "hostname") - hostFields.CopyFieldsTo(hostTopLevel, "name") hostFields.CopyFieldsTo(hostTopLevel, "id") hostFields.CopyFieldsTo(hostTopLevel, "ip") hostFields.CopyFieldsTo(hostTopLevel, "mac") From aa99b05a33dccc156a26ab1896ba7eafbde69adc Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 5 May 2020 09:27:53 -0400 Subject: [PATCH 5/5] Remove added 'name' field --- x-pack/auditbeat/module/system/host/host.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/x-pack/auditbeat/module/system/host/host.go b/x-pack/auditbeat/module/system/host/host.go index 757fec1eb4d..9aa0f7fb2e7 100644 --- a/x-pack/auditbeat/module/system/host/host.go +++ b/x-pack/auditbeat/module/system/host/host.go @@ -350,9 +350,7 @@ func hostEvent(host *Host, eventType string, action eventAction) mb.Event { } // Copy select host.* fields in case add_host_metadata is not configured. - hostTopLevel := common.MapStr{ - "name": host.Hostname, - } + hostTopLevel := common.MapStr{} hostFields.CopyFieldsTo(hostTopLevel, "architecture") hostFields.CopyFieldsTo(hostTopLevel, "containerized") hostFields.CopyFieldsTo(hostTopLevel, "hostname")