Skip to content

Rename auditd fields for ECS#10577

Merged
andrewkroh merged 2 commits intoelastic:masterfrom
andrewkroh:feature/ab/ecs-change-event-original
Feb 5, 2019
Merged

Rename auditd fields for ECS#10577
andrewkroh merged 2 commits intoelastic:masterfrom
andrewkroh:feature/ab/ecs-change-event-original

Conversation

@andrewkroh
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh commented Feb 5, 2019

Change auditd.messages to event.original and auditd.warnings to error.message.
And also change user.user_information from text to keyword.

@andrewkroh andrewkroh requested review from a team as code owners February 5, 2019 16:50
@andrewkroh andrewkroh mentioned this pull request Feb 5, 2019
Closed
@andrewkroh andrewkroh requested review from cwurm and ruflin February 5, 2019 16:52
@andrewkroh andrewkroh added the ecs label Feb 5, 2019
webmat
webmat suggested changes Feb 5, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm good with event.original.

I'm not convinced for error.message, but let me know if I'm misunderstanding this one.

auditbeat/module/auditd/_meta/fields.yml Outdated
Copy link
Copy Markdown
Contributor

@webmat webmat Feb 5, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a fan of using error.message for debugging output. It's not an actual error message from the source, nor is it a processing error, really, according to the description below.

Copy link
Copy Markdown
Member Author

@andrewkroh andrewkroh Feb 5, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a processing error. For example, message would be included if an expected field were missing while processing the events from the kernel. It holds any of the error messages that are returned by go-libaudit while processing the messages.

Copy link
Copy Markdown
Contributor

@webmat webmat Feb 5, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gotcha, I'm good with that, then.

x-pack/auditbeat/module/system/user/_meta/fields.yml Outdated
Copy link
Copy Markdown
Contributor

@webmat webmat Feb 5, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@andrewkroh
Rename auditd fields for ECS
c5fb6fa 
Change `auditd.messages` to `event.original` and `auditd.warnings` to `error.message`.
And also change `user.user_information` from text to keyword.
@andrewkroh andrewkroh force-pushed the feature/ab/ecs-change-event-original branch from 84404be to c5fb6fa Compare February 5, 2019 19:14
webmat
webmat approved these changes Feb 5, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm good with this, once the pull request link is fixed :-)

@andrewkroh
Copy link
Copy Markdown
Member Author

andrewkroh commented Feb 5, 2019

Will fix. I did a rebase and lost the fix.

webmat
webmat approved these changes Feb 5, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@webmat
Copy link
Copy Markdown
Contributor

webmat commented Feb 5, 2019

Only Jenkins failure is metricbeat. Unrelated

@andrewkroh andrewkroh merged commit e8a14bb into elastic:master Feb 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ruflin ruflin ruflin approved these changes

@cwurm cwurm Awaiting requested review from cwurm

+1 more reviewer

@webmat webmat webmat approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Auditbeat ecs review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andrewkroh @webmat @ruflin