Closed
Conversation
Detects package updates by checking if any of the "new" package objects have the same package name as one of the "old" package objects. The event will have `event.action: package_updated`. Also removes `InstallTime` from change detection. And for dpkg, reports packages as removed that have only been removed (`apt-get remove`) but not purged (`apt-get purge`).
…c#10560) * The integration tests for connection, exchange and queue were removed as they only contained data generation and did not really work * The data generation in the rabbitmq module is the way I would hope we do it in other modules in the future as it's static * Update data.json files
Implements `{entity}.entity_id` as a SHA-256 hash as proposed in elastic#10463.
Closes elastic#10463.
This pull request migrates Winlogbeat to ECS. Changed in this PR: - Nest most fields specific to Windows logs under "winlog.*" - Like we do for other log transports such as "syslog.*", "journald.*" etc. - Align multiple field names to the Windows Log naming (e.g. the Channel is no longer "log_name", but is "winlog.channel") - winlog.event_id is changing datatype from long to keyword - The process and thread ID of the event logging service are nested under "winlog." as a nesting of the ECS process field set, to make the experience consistent with ECS. - Fields migrated to ECS: - level => log.level (now lowercased) - xml => event.original - message_error => error.message - new ECS fields defined: - event.code is not yet in ECS, but may eventually be. It's a copy of winlog.event_id - event.kind - event.action - event.created - error.code Note that this PR only does a light adaptation to ECS, and does not look into event_data to parse out each source's information. This kind of processing is really source specific, and should be done server-side (e.g. Ingest Node). This way, improvements in event shaping can be done without a full re-deployment of Winlogbeat across a fleet of servers, and is also easier to customize for users.
elastic#10006 was merged without a CHANGELOG entry.
Seven dashboards for the Auditbeat System module - one for each dataset, and an overall overview dashboards.
Register encoders for time.Time and common.Time so that events containing timestamps can be serialized. Fixes elastic#10099
`event.type` is reserved for future use in ECS. Fallback to the original Suricata field. This undoes a previous aliasing to `event.type` in 7.0. Also sets `event.kind` to `event`.
Previous PR (elastic#10565) put this entry in the wrong section. It's an added feature, not a breaking change.
Change `auditd.messages` to `event.original` and `auditd.warnings` to `error.message`. And also change `user.user_information` from text to keyword.
…table. (elastic#10564) * Remove experimental flags and most of the AWS provider stable.
With 7.x the data structure of the modules was changed to ECS. This has an affect on all Kibana files as the fields changed. For the migration from 6.x to 7.x it is necessary that 6.x and 7.x dashboards can coexist. To not overwrite dashboards in 7.x all Kibana files must have a changed id and to differentiate them in the UI, a different title. This PR does the following changes: * Reads all changed files from ecs-migration.yml and replaces these fields in all Kibana files. It also replaces fields inside queries and filters * Reads all ids used in the Kibana files and postfixes these ids with `-7x`. It also replaces ids existing in links between dashboards. * Reads all titles in the Kibana files and appends ` 7.x` to the titles. The change is impemented so the script can be run multiple times. This is helpful if we make changes later on again to a few dashboards we can rerun the script without having double changes.
In 6.x Journalbeat placed its registry file under the wrong path ignoring the data.path settings. This patch lets users migrate from registries under such paths when upgrading from 6.x to 7.x.
* Fix an issue where ConfigBlocksEqual was returning false The ordering was not preserved when comparing the values for conflict blocks which result in multiple reload on each fetch even if the configuration didn't change.
We were having contributions of metricsets with the release level in the description, the cause was that our generator scripts did it this way. Add release tag to metricset templates instead of using the description field for this purpouse. Make beta the release level for new modules by default. Experimental should be kept just for real experiments or in some corner cases. The usual level for a new metricset that collects metrics from a known existing service or technology should be beta (or ga if it is really complete).
The builds on travis for metricbeat exceeded 30min. This splits up the tests into 3 parts.
* Remove deprecated Init(), pass instance.Settings around. Ensure settings from rootCmd are respected also when calling `export` and `setup`. fixes elastic#10720
This allows for a condition to be used with a list of processors and for a list of
processors to be executed if the condition does not match.
This is a contrived example that adds fields and tags to the event if true, otherwise it drops the event.
processors: [
{
"if": {
"and": [
{
"equals.type": "login"
},
{
"range.uid.lt": 500
}
]
},
"then": [
{
"add_fields": {
"target": "",
"fields": {
"uid_type": "reserved"
}
}
},
{
"add_tags": {
"tags": [
"reserved_user_login"
]
}
}
],
"else": {
"drop_event": null
}
}
]
The `network` condition checks if the field is in a certain IP network range.
Both IPv4 and IPv6 addresses are supported. The network range may be specified
using CIDR notation, like "192.0.2.0/24" or "2001:db8::/32", or by using one of
these named ranges:
- `loopback` - Matches loopback addresses in the range of `127.0.0.0/8` or
`::1/128`.
- `unicast` - Matches global unicast addresses defined in RFC 1122, RFC 4632,
and RFC 4291 with the exception of the IPv4 broadcast address
(`255.255.255.255`). This includes private address ranges.
- `multicast` - Matches multicast addresses.
- `interface_local_multicast` - Matches IPv6 interface-local multicast addresses.
- `link_local_unicast` - Matches link-local unicast addresses.
- `link_local_multicast` - Matches link-local multicast addresses.
- `private` - Matches private address ranges defined in RFC 1918 (IPv4) and
RFC 4193 (IPv6).
- `public` - Matches addresses that are not loopback, unspecified, IPv4
broadcast, link local unicast, link local multicast, interface local
multicast, or private.
- `unspecified` - Matches unspecified addresses (either the IPv4 address
"0.0.0.0" or the IPv6 address "::").
Example
GUEST_NET: 172.16.0.0/16
processors:
- add_fields:
when:
or:
- source.ip: ${GUEST_NET}
- destination.ip: ${GUEST_NET}
fields:
network.name: guest
target: ""
fixes #apm-server/1846
Use host and port to ensure that network connection is used and not local socket. Use `SHOW STATUS` that is the query used by the metricset.
* Add syslog support for ISO8601 format timestamp * Add changelog * Change timestamp pattern
* Add steps for loading and viewing dashboards * Deprecate global options for backoff, max_backoff, seek, and include_matches * Add screen capture * Move tip to correct place in doc
Also cleans up old inaccurate snapshot references
Signed-off-by: Chris Mark <chrismarkou92@gmail.com>
* Update _meta/test/metrics * Move mapping declaration outside of init() Signed-off-by: Ioannis Androulidakis <ioannis@arrikto.com>
Signed-off-by: Chris Mark <chrismarkou92@gmail.com>
Signed-off-by: Ioannis Androulidakis <ioannis@arrikto.com>
* Rename metrics to stats in coredns/stats/_meta/fields.yaml * Use .sec naming convention instead of .seconds Signed-off-by: Ioannis Androulidakis <ioannis@arrikto.com>
Signed-off-by: Ioannis Androulidakis <ioannis@arrikto.com>
Signed-off-by: Chris <chrismarkou92@gmail.com>
b710427 to
ce7c484
Compare
ChrsMark
pushed a commit
that referenced
this pull request
Dec 2, 2019
Signed-off-by: chrismark <chrismarkou92@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.