[Auditbeat] Change module configuration from "metricsets" to "datasets"

[cwurm]

This changes the Auditbeat system module configuration to use "datasets" rather than "metricsets" to configure its sub-modules:

- module: system
  datasets:
    - host
    - process
    [...]

It simply overwrites the MetricSets field in the default Metricbeat configuration with the value of the datasets configuration.

@andrewkroh We talked about the difficulty of making changes to go-ucfg or to the Metricbeat code. Turns out there is no need to change anything under metricbeat/, so I think this might be ok? What do you think? I think in the long term we might still want to change to a fileset-like configuration, but for now this would avoid having a mix of "dataset" and "metricset" in anything user-facing, i.e. documentation or configuration.

Follow-up:

1. Change documentation and other places where "metricset(s)" is used

[elasticmachine]

Pinging @elastic/secops

[ruflin]

So far I kept fileset and metricset around as we still had it in the config and I thought we keep it (for example #9922). Could you share a bit more background on this change? I assume for auditbeat it would mean both options work?

[cwurm]

The data Auditbeat reports are not “metrics”. “Audit events” is probably the most accurate term. So it would be weird if its sub-modules would be called “metricsets” in the user-facing configuration and documentation. It leaks its Metricbeat roots that the user should not see. “Datasets” is the more generic term that we arrived at in the SecOps team. Metricbeat and Filebeat can keep their terms, this is just for Auditbeat. Since with this change the code would overwrite the MetricSets field with the contents of `datasets`, only `datasets` will work for Auditbeat.

…

On Fri, 11 Jan 2019 at 15:51 Nicolas Ruflin ***@***.***> wrote: So far I kept fileset and metricset around as we still had it in the config and I thought we keep it (for example #9922 <#9922>). Could you share a bit more background on this change? I assume for auditbeat it would mean both options work? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#10018 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAqZRfc3mWk25WnfK_BkqpKgaYHS6yPBks5vCLMbgaJpZM4Z7hz1> .

[ruflin]

This is then a breaking change I assume and all users have to change their config for 7? This needs a changelog entry then.

One other thing I worry about is that we have afterwards 2 different "values" of dataset. On the event side the dataset is {module}.{metricset}, on the config side it's just what metricset was previously. Do you see this as confusing or ok?

[cwurm]

This is then a breaking change I assume and all users have to change their config for 7?

Auditbeat doesn't have any metricsets at the moment, so if we can get this change in for 6.6 we would not have a breaking change.

One other thing I worry about is that we have afterwards 2 different "values" of dataset. On the event side the dataset is {module}.{metricset}, on the config side it's just what metricset was previously. Do you see this as confusing or ok?

Personally, I think this is ok, and actually preferable to the situation where it's called dataset in the event, but metricset in the configuration.

[ruflin]

Ok, SGTM for the dataset change.

[tsg]

Code change LGTM. I'd wait for a review from @andrewkroh as well, to ACK the approach.

[andrewkroh]

LGTM.