Merge branch 'master' of github.com:elastic/beats into feat/keep-http

elastic · Apr 20, 2021 · 5d76900 · 5d76900
2 parents 7715548 + 9013d07
commit 5d76900
Show file tree

Hide file tree

Showing 420 changed files with 32,811 additions and 6,222 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -392,6 +392,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix date parsing in GSuite/login and Google Workspace/login filesets. {issue}24694[24694]
 - Fix date parsing in GSuite/login fileset. {issue}24694[24694]
 - Improve Cisco ASA/FTD parsing of messages - better support for identity FW messages. Change network.bytes, source.bytes, and destination.bytes to long from integer since value can exceed integer capacity.  Add descriptions for various processors for easier pipeline editing in Kibana UI. {pull}23766[23766]
+- Fix usage of unallowed ECS event.outcome values in Cisco ASA/FTD pipeline. {pull}24744[24744].
 - Updating Oauth2 flow for m365_defender fileset. {pull}24829[24829]
 - Improve PanOS parsing and ingest pipeline. {issue}22413[22413] {issue}22748[22748] {pull}24799[24799]
 - Fix S3 input validation for non amazonaws.com domains. {issue}24420[24420] {pull}24861[24861]
@@ -615,6 +616,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add new ECS 1.9 field `cloud.service.name` to `add_cloud_metadata` processor. {pull}24993[24993]
 - Libbeat: report queue capacity, output batch size, and output client count to monitoring. {pull}24700[24700]
 - Add kubernetes.pod.ip field in kubernetes metadata. {pull}25037[25037]
+- Discover changes in Kubernetes namespace metadata as soon as they happen. {pull}25117[25117]
 
 *Auditbeat*
 
@@ -830,12 +832,15 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Support X-Forwarder-For in IIS logs. {pull}19142[192142]
 - Add support for logs generated by servers configured with `log_statement` and `log_duration` in PostgreSQL module. {pull}24607[24607]
 - Updating field mappings for Cisco AMP module, fixing certain fields. {pull}24661[24661]
+- Added fifteen new message IDs to Cisco ASA/FTD pipeline. {pull}24744[24744]
 - Added NTP fileset to Zeek module {pull}24224[24224]
 - Add `proxy_url` config for httpjson v2 input. {issue}24615[24615] {pull}24662[24662]
 - Add support for upper case field names in Sophos XG module {pull}24693[24693]
 - Add `fail_on_template_error` option for httpjson input. {pull}24784[24784]
 - Change `okta.target` to `flattened` field type.  {issue}24354[24354] {pull}24636[24636]
 - Added `http.request.id` to `nginx/ingress_controller` and `elasticsearch/audit`. {pull}24994[24994]
+- Add `awsfargate` module to collect container logs from Amazon ECS on Fargate. {pull}25041[25041]
+- New module `cyberarkpas` for CyberArk Privileged Access Security audit logs. {pull}24803[24803]
 
 *Heartbeat*
 

diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
@@ -2477,15 +2477,6 @@ type: keyword
 
 --
 
-*`user_agent.device.type`*::
-+
---
-Type of device where the user agent is running.
-
-type: keyword
-
---
-
 [[exported-fields-cloud]]
 == Cloud provider metadata fields
 

diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -17,6 +17,7 @@ grouped in the following categories:
 * <<exported-fields-auditd>>
 * <<exported-fields-aws>>
 * <<exported-fields-aws-cloudwatch>>
+* <<exported-fields-awsfargate>>
 * <<exported-fields-azure>>
 * <<exported-fields-barracuda>>
 * <<exported-fields-beat-common>>
@@ -29,6 +30,7 @@ grouped in the following categories:
 * <<exported-fields-coredns>>
 * <<exported-fields-crowdstrike>>
 * <<exported-fields-cyberark>>
+* <<exported-fields-cyberarkpas>>
 * <<exported-fields-cylance>>
 * <<exported-fields-docker-processor>>
 * <<exported-fields-ecs>>
@@ -2317,6 +2319,26 @@ type: keyword
 
 --
 
+[[exported-fields-awsfargate]]
+== AWS Fargate fields
+
+Module for collecting container logs from Amazon ECS Fargate.
+
+
+
+[float]
+=== awsfargate
+
+Fields from Amazon ECS Fargate logs.
+
+
+
+[float]
+=== log
+
+Fields for Amazon Fargate container logs.
+
+
 [[exported-fields-azure]]
 == Azure fields
 
@@ -9190,15 +9212,6 @@ type: keyword
 
 --
 
-*`user_agent.device.type`*::
-+
---
-Type of device where the user agent is running.
-
-type: keyword
-
---
-
 [[exported-fields-bluecoat]]
 == Blue Coat Director fields
 
@@ -34187,6 +34200,268 @@ type: keyword
 
 --
 
+[[exported-fields-cyberarkpas]]
+== CyberArk PAS fields
+
+cyberarkpas fields.
+
+
+
+
+[float]
+=== audit
+
+Cyberark Privileged Access Security Audit fields.
+
+
+
+*`cyberarkpas.audit.action`*::
++
+--
+A description of the audit record.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.ca_properties`*::
++
+--
+Account metadata.
+
+type: flattened
+
+--
+
+*`cyberarkpas.audit.category`*::
++
+--
+The category name (for category-related operations).
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.desc`*::
++
+--
+A static value that displays a description of the audit codes.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.extra_details`*::
++
+--
+Specific extra details of the audit records.
+
+type: flattened
+
+--
+
+*`cyberarkpas.audit.file`*::
++
+--
+The name of the target file.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.gateway_station`*::
++
+--
+The IP of the web application machine (PVWA).
+
+type: ip
+
+--
+
+*`cyberarkpas.audit.hostname`*::
++
+--
+The hostname, in upper case.
+
+type: keyword
+
+example: MY-COMPUTER
+
+--
+
+*`cyberarkpas.audit.iso_timestamp`*::
++
+--
+The timestamp, in ISO Timestamp format (RFC 3339).
+
+type: date
+
+example: 2013-06-25 10:47:19+00:00
+
+--
+
+*`cyberarkpas.audit.issuer`*::
++
+--
+The Vault user who wrote the audit. This is usually the user who performed the operation.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.location`*::
++
+--
+The target Location (for Location operations).
+
+type: keyword
+
+Field is not indexed.
+
+--
+
+*`cyberarkpas.audit.message`*::
++
+--
+A description of the audit records (same information as in the Desc field).
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.message_id`*::
++
+--
+The code ID of the audit records.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.product`*::
++
+--
+A static value that represents the product.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.pvwa_details`*::
++
+--
+Specific details of the PVWA audit records.
+
+type: flattened
+
+--
+
+*`cyberarkpas.audit.raw`*::
++
+--
+Raw XML for the original audit record. Only present when XSLT file has debugging enabled.
+
+
+type: keyword
+
+Field is not indexed.
+
+--
+
+*`cyberarkpas.audit.reason`*::
++
+--
+The reason entered by the user.
+
+type: text
+
+--
+
+*`cyberarkpas.audit.rfc5424`*::
++
+--
+Whether the syslog format complies with RFC5424.
+
+type: boolean
+
+example: True
+
+--
+
+*`cyberarkpas.audit.safe`*::
++
+--
+The name of the target Safe.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.severity`*::
++
+--
+The severity of the audit records.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.source_user`*::
++
+--
+The name of the Vault user who performed the operation.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.station`*::
++
+--
+The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP.
+
+type: ip
+
+--
+
+*`cyberarkpas.audit.target_user`*::
++
+--
+The name of the Vault user on which the operation was performed.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.timestamp`*::
++
+--
+The timestamp, in MMM DD HH:MM:SS format.
+
+type: keyword
+
+example: Jun 25 10:47:19
+
+--
+
+*`cyberarkpas.audit.vendor`*::
++
+--
+A static value that represents the vendor.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.version`*::
++
+--
+A static value that represents the version of the Vault.
+
+type: keyword
+
+--
+
 [[exported-fields-cylance]]
 == CylanceProtect fields
 

diff --git a/filebeat/docs/images/filebeat-cyberarkpas-overview.png b/filebeat/docs/images/filebeat-cyberarkpas-overview.png