Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rename auditd fields for ECS #10577

Merged
merged 2 commits into from
Feb 5, 2019
Merged

Rename auditd fields for ECS #10577

merged 2 commits into from
Feb 5, 2019

Conversation

andrewkroh
Copy link
Member

Change auditd.messages to event.original and auditd.warnings to error.message.
And also change user.user_information from text to keyword.

@andrewkroh andrewkroh requested review from a team as code owners February 5, 2019 16:50
@andrewkroh andrewkroh mentioned this pull request Feb 5, 2019
Closed
@andrewkroh andrewkroh requested review from ruflin and cwurm February 5, 2019 16:52
@andrewkroh andrewkroh added the ecs label Feb 5, 2019
webmat
webmat suggested changes Feb 5, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm good with event.original.

I'm not convinced for error.message, but let me know if I'm misunderstanding this one.

CHANGELOG.next.asciidoc Outdated Show resolved Hide resolved
auditbeat/module/auditd/_meta/fields.yml
type: keyword
type: alias
migration: true
path: error.message
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a fan of using error.message for debugging output. It's not an actual error message from the source, nor is it a processing error, really, according to the description below.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a processing error. For example, message would be included if an expected field were missing while processing the events from the kernel. It holds any of the error messages that are returned by go-libaudit while processing the messages.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gotcha, I'm good with that, then.

x-pack/auditbeat/module/system/user/_meta/fields.yml
@@ -25,7 +25,7 @@
description: >
Program to run at login.
- name: user_information
type: text
type: keyword
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@andrewkroh
Rename auditd fields for ECS
c5fb6fa 
Change `auditd.messages` to `event.original` and `auditd.warnings` to `error.message`.
And also change `user.user_information` from text to keyword.
@andrewkroh andrewkroh force-pushed the feature/ab/ecs-change-event-original branch from 84404be to c5fb6fa Compare February 5, 2019 19:14
webmat
webmat approved these changes Feb 5, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm good with this, once the pull request link is fixed :-)

CHANGELOG.next.asciidoc Outdated Show resolved Hide resolved
@andrewkroh
Copy link
Member Author

Will fix. I did a rebase and lost the fix.

webmat
webmat approved these changes Feb 5, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@webmat
Copy link
Contributor

webmat commented Feb 5, 2019

Only Jenkins failure is metricbeat. Unrelated

@andrewkroh andrewkroh merged commit e8a14bb into elastic:master Feb 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ruflin ruflin ruflin approved these changes

@webmat webmat webmat approved these changes

@cwurm cwurm Awaiting requested review from cwurm

Assignees
No one assigned
Labels
Auditbeat ecs review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewkroh @webmat @ruflin