Skip to content

Commit

Permalink
update Linux mappings (opensearch-project#223)
Browse files Browse the repository at this point in the history
* updated linux mappings

Signed-off-by: Grant Haywood <[email protected]>

* update linux mappings

Signed-off-by: Grant Haywood <[email protected]>

Signed-off-by: Grant Haywood <[email protected]>
  • Loading branch information
phaseshiftg authored and eirsep committed Apr 3, 2023
1 parent ed15506 commit 227b01e
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 162 deletions.
44 changes: 11 additions & 33 deletions src/main/resources/OSMapping/linux/fieldmappings.yml
Original file line number Diff line number Diff line change
@@ -1,37 +1,15 @@
fieldmappings:
CommandLine: process-command_line
CurrentDirectory: process-working_directory
DestinationHostname: DestinationHostname
DestinationIp: DestinationIp
Image: process-executable
LogonId: process-user-id
ParentCommandLine: process-parent-command_line
ParentImage: process-parent-executable
TargetFilename: TargetFilename
USER: USER
User: process-user-name
name: user-filesystem-name
a0: auditd-log-a0
a1: auditd-log-a1
a2: auditd-log-a2
a3: auditd-log-a3
a4: auditd-log-a4
a5: auditd-log-a5
a6: auditd-log-a6
a7: auditd-log-a7
comm: auditd-log-comm
cwd: cwd
dd: dd
exe: auditd-log-exe
execve: execve
filter: filter
key: key
name: name
pam_message: pam_message
pam_rhost: pam_rhost
pam_user: pam_user
proctitle: proctitle
syscall: syscall
truncate: truncate
type: type
uid: uid
unit: unit
uid: auditd-log-uid
USER: system-auth-user
User: system-auth-user
Image: process-exe
DestinationHostname: rsa-web-remote_domain
CommandLine: process-command_line
ParentImage: process-parent-executable
CurrentDirectory: process-working_directory
LogonId: process-real_user-id

162 changes: 33 additions & 129 deletions src/main/resources/OSMapping/linux/mappings.json
Original file line number Diff line number Diff line change
@@ -1,148 +1,52 @@
{
"properties": {
"type": {
"type": "alias",
"path": "type"
},
"name": {
"type": "alias",
"path": "name"
"user-filesystem-name": {
"path": "user.filesystem.name",
"type": "alias"
},
"auditd-log-a0": {
"type": "alias",
"path": "auditd-log-a0"
},
"auditd-log-a1": {
"type": "alias",
"path": "auditd-log-a1"
},
"auditd-log-a2": {
"type": "alias",
"path": "auditd-log-a2"
},
"auditd-log-a3": {
"type": "alias",
"path": "auditd-log-a3"
},
"auditd-log-a4": {
"type": "alias",
"path": "auditd-log-a4"
},
"auditd-log-a5": {
"type": "alias",
"path": "auditd-log-a5"
},
"auditd-log-a6": {
"type": "alias",
"path": "auditd-log-a6"
},
"auditd-log-a7": {
"type": "alias",
"path": "auditd-log-a7"
},
"execve": {
"type": "alias",
"path": "execve"
},
"truncate": {
"type": "alias",
"path": "truncate"
},
"dd": {
"type": "alias",
"path": "dd"
},
"filter": {
"type": "alias",
"path": "filter"
},
"auditd-log-exe": {
"type": "alias",
"path": "auditd-log-exe"
"path": "auditd.log.a0",
"type": "alias"
},
"auditd-log-comm": {
"type": "alias",
"path": "auditd-log-comm"
"path": "auditd.log.comm",
"type": "alias"
},
"proctitle": {
"type": "alias",
"path": "proctitle"
},
"unit": {
"type": "alias",
"path": "unit"
},
"key": {
"type": "alias",
"path": "key"
},
"syscall": {
"type": "alias",
"path": "syscall"
},
"uid": {
"type": "alias",
"path": "uid"
},
"cwd": {
"type": "alias",
"path": "cwd"
},
"USER": {
"type": "alias",
"path": "USER"
},
"TargetFilename": {
"type": "alias",
"path": "TargetFilename"
},
"Image": {
"type": "alias",
"path": "process-executable"
},
"DestinationIp": {
"type": "alias",
"path": "DestinationIp"
"auditd-log-exe": {
"path": "auditd.log.exe",
"type": "alias"
},
"DestinationHostname": {
"type": "alias",
"path": "DestinationHostname"
"auditd-log-uid": {
"path": "auditd.log.uid",
"type": "alias"
},
"pam_message": {
"type": "alias",
"path": "pam_message"
"system-auth-user": {
"path": "auditd.log.exe",
"type": "alias"
},
"pam_rhost": {
"type": "alias",
"path": "pam_rhost"
"process-exe": {
"path": "process.exe",
"type": "alias"
},
"pam_user": {
"type": "alias",
"path": "pam_user"
"rsa-web-remote_domain": {
"path": "rsa.web.remote_domain",
"type": "alias"
},
"CommandLine": {
"type": "alias",
"path": "process-command_line"
"process-command_line": {
"path": "process.command_line",
"type": "alias"
},
"process-parent-executable": {
"type": "alias",
"path": "process-parent-executable"
},
"process-user-id": {
"type": "alias",
"path": "process-user-id"
},
"process-user-name": {
"type": "alias",
"path": "process-user-name"
"path": "process.parent.executable",
"type": "alias"
},
"process-working_directory": {
"type": "alias",
"path": "process-working_directory"
"path": "process.working_directory",
"type": "alias"
},
"process-real_user-id": {
"path": "process.real_user.id",
"type": "alias"
},
"process-parent-command_line": {
"type": "alias",
"path": "process-parent-command_line"
}
}
}

0 comments on commit 227b01e

Please sign in to comment.