Non-breaking adjustment of osquery Filebeat module to ECS

[webmat]

No breaking field transitions, as these results are all userland data (directly based on user queries).

Rename

• read_timestamp => event.created

Fields copied out to ECS

• osquery.result.decorations.host_uuid => host.id
• osquery.result.host_identifier => host.hostname
• osquery.result.decorations.username => user.name

Also

• Innocuous typo in the fields.yml
• Changelog

[webmat]

@ruflin This one will annoy you as well. Non-breaking change, because since the OSQuery module reads "userland" data (directly related to their query), I'm copying out a few bit of info without renaming anything.

[ruflin]

As discussed in the other PR, let's not do this and rely on aliases.

[webmat]

@ruflin Ready for a quick review. No breaking changes here. Test failures unrelated (heartbeat and libbeat)

[ruflin]

@webmat See other PR for the comments related to alias. We should go with alias instead of copying.

[webmat]

@ruflin Are you saying we should move the data to the ECS field name, and put in place an alias inside the user's query result objects towards the ECS name?

@tsg How were these events generated, by the way? The /test/ log examples don't look like answers to ad hoc queries. It looks more like the result of some structured sets of queries. Are the following fields expected to be present most of the time? .host_identifier, .decorations.host_uuid and .decorations.username

[ruflin]

@webmat I'm suggestion we do here the same as for all other modules.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b ecs-osquery-fb upstream/ecs-osquery-fb
git merge upstream/master
git push upstream ecs-osquery-fb