diff --git a/x-pack/auditbeat/module/system/package/package.go b/x-pack/auditbeat/module/system/package/package.go index d80174f2478..b6b11593520 100644 --- a/x-pack/auditbeat/module/system/package/package.go +++ b/x-pack/auditbeat/module/system/package/package.go @@ -122,6 +122,7 @@ type Package struct { Summary string URL string Error error + Type string } // Hash creates a hash for Package. @@ -134,11 +135,15 @@ func (pkg Package) Hash() uint64 { return h.Sum64() } -func (pkg Package) toMapStr() common.MapStr { +func (pkg Package) toMapStr() (common.MapStr, common.MapStr) { mapstr := common.MapStr{ "name": pkg.Name, "version": pkg.Version, } + ecsMapstr := common.MapStr{ + "name": pkg.Name, + "version": pkg.Version, + } if pkg.Release != "" { mapstr.Put("release", pkg.Release) @@ -146,29 +151,39 @@ func (pkg Package) toMapStr() common.MapStr { if pkg.Arch != "" { mapstr.Put("arch", pkg.Arch) + ecsMapstr.Put("architecture", pkg.License) } if pkg.License != "" { mapstr.Put("license", pkg.License) + ecsMapstr.Put("license", pkg.License) } if !pkg.InstallTime.IsZero() { mapstr.Put("installtime", pkg.InstallTime) + ecsMapstr.Put("installed", pkg.InstallTime) } if pkg.Size != 0 { mapstr.Put("size", pkg.Size) + ecsMapstr.Put("size", pkg.Size) } if pkg.Summary != "" { mapstr.Put("summary", pkg.Summary) + ecsMapstr.Put("description", pkg.Summary) } if pkg.URL != "" { mapstr.Put("url", pkg.URL) + ecsMapstr.Put("reference", pkg.URL) } - return mapstr + if pkg.Type != "" { + ecsMapstr.Put("type", pkg.Type) + } + + return mapstr, ecsMapstr } // entityID creates an ID that uniquely identifies this package across machines. @@ -355,6 +370,7 @@ func convertToPackage(cacheValues []interface{}) []*Package { } func (ms *MetricSet) packageEvent(pkg *Package, eventType string, action eventAction) mb.Event { + pkgFields, ecsPkgFields := pkg.toMapStr() event := mb.Event{ RootFields: common.MapStr{ "event": common.MapStr{ @@ -363,9 +379,10 @@ func (ms *MetricSet) packageEvent(pkg *Package, eventType string, action eventAc "type": []string{action.Type()}, "action": action.String(), }, + "package": ecsPkgFields, "message": packageMessage(pkg, action), }, - MetricSetFields: pkg.toMapStr(), + MetricSetFields: pkgFields, } if ms.HostID() != "" { @@ -555,7 +572,9 @@ func (ms *MetricSet) listDebPackages() ([]*Package, error) { value := strings.TrimSpace(words[1]) if pkg == nil { - pkg = &Package{} + pkg = &Package{ + Type: "dpkg", + } } switch strings.ToLower(words[0]) { diff --git a/x-pack/auditbeat/module/system/package/package_homebrew.go b/x-pack/auditbeat/module/system/package/package_homebrew.go index b5b8fa5b36d..063c99187a7 100644 --- a/x-pack/auditbeat/module/system/package/package_homebrew.go +++ b/x-pack/auditbeat/module/system/package/package_homebrew.go @@ -52,6 +52,7 @@ func listBrewPackages() ([]*Package, error) { Name: packageDir.Name(), Version: version.Name(), InstallTime: version.ModTime(), + Type: "brew", } // Read formula diff --git a/x-pack/auditbeat/module/system/package/package_homebrew_test.go b/x-pack/auditbeat/module/system/package/package_homebrew_test.go index 007ae741f53..97fc149fe01 100644 --- a/x-pack/auditbeat/module/system/package/package_homebrew_test.go +++ b/x-pack/auditbeat/module/system/package/package_homebrew_test.go @@ -59,6 +59,11 @@ func TestHomebrew(t *testing.T) { checkFieldValue(t, event, "system.audit.package.url", "https://www.elastic.co/") checkFieldValue(t, event, "system.audit.package.version", "1.0.0") checkFieldValue(t, event, "system.audit.package.entity_id", "Krm421rtYM4wgq1S") + checkFieldValue(t, event, "package.name", "test-package") + checkFieldValue(t, event, "package.description", "Test package") + checkFieldValue(t, event, "package.reference", "https://www.elastic.co/") + checkFieldValue(t, event, "package.version", "1.0.0") + checkFieldValue(t, event, "package.type", "brew") } } } diff --git a/x-pack/auditbeat/module/system/package/package_test.go b/x-pack/auditbeat/module/system/package/package_test.go index d1d8aa5e7f9..c2261015291 100644 --- a/x-pack/auditbeat/module/system/package/package_test.go +++ b/x-pack/auditbeat/module/system/package/package_test.go @@ -75,6 +75,12 @@ func TestDpkg(t *testing.T) { checkFieldValue(t, event, "system.audit.package.summary", "Test Package") checkFieldValue(t, event, "system.audit.package.url", "https://www.elastic.co/") checkFieldValue(t, event, "system.audit.package.version", "8.2.0-1ubuntu2~18.04") + checkFieldValue(t, event, "package.name", "test") + checkFieldValue(t, event, "package.size", uint64(269)) + checkFieldValue(t, event, "package.description", "Test Package") + checkFieldValue(t, event, "package.reference", "https://www.elastic.co/") + checkFieldValue(t, event, "package.version", "8.2.0-1ubuntu2~18.04") + checkFieldValue(t, event, "package.type", "dpkg") } } diff --git a/x-pack/auditbeat/module/system/package/rpm_common_test.go b/x-pack/auditbeat/module/system/package/rpm_common_test.go index 2e75d475811..ce384e9165c 100644 --- a/x-pack/auditbeat/module/system/package/rpm_common_test.go +++ b/x-pack/auditbeat/module/system/package/rpm_common_test.go @@ -41,6 +41,7 @@ func rpmPackagesByExec() ([]*Package, error) { // size - 6 URL: words[7], Summary: words[8], + Type: "rpm", } ts, err := strconv.ParseInt(words[5], 10, 64) if err != nil { diff --git a/x-pack/auditbeat/module/system/package/rpm_linux.go b/x-pack/auditbeat/module/system/package/rpm_linux.go index 46e4f34cbc4..76e10fd8164 100644 --- a/x-pack/auditbeat/module/system/package/rpm_linux.go +++ b/x-pack/auditbeat/module/system/package/rpm_linux.go @@ -357,7 +357,9 @@ func packageFromHeader(header C.Header, openedLibrpm *librpm) (*Package, error) } defer C.my_headerFree(openedLibrpm.headerFree, header) - pkg := Package{} + pkg := Package{ + Type: "rpm", + } name := C.my_headerGetString(openedLibrpm.headerGetString, header, RPMTAG_NAME) if name != nil {