Skip to content

Update Beats to ECS 1.8.0#23465

Merged
adriansr merged 43 commits intomasterfrom
feature-ecs-1.8
Feb 16, 2021
Merged

Update Beats to ECS 1.8.0#23465
adriansr merged 43 commits intomasterfrom
feature-ecs-1.8

Conversation

@adriansr
Copy link
Copy Markdown
Contributor

@adriansr adriansr commented Jan 12, 2021
edited
Loading

What does this PR do?

Incorporates ECS 1.8 changes from the following PRs:

@adriansr adriansr added enhancement in progress Pull request is currently in progress. ecs labels Jan 12, 2021
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jan 12, 2021
@adriansr adriansr changed the title Update fields.ecs.yml from ECS 1.8-dev branch [DRAFT] Update Beats to ECS 1.8 Jan 12, 2021
@adriansr adriansr changed the title [DRAFT] Update Beats to ECS 1.8 [WIP] Update Beats to ECS 1.8 Jan 12, 2021
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jan 12, 2021
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jan 12, 2021
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #23465 updated

  • Start Time: 2021-02-16T16:36:13.233+0000

  • Duration: 160 min 39 sec

  • Commit: b94a9ad

Test stats 🧪

Test Results
Failed 0
Passed 46595
Skipped 4804
Total 51399

Trends 🧪

Image of Build Times

Image of Tests

Steps errors 1

Expand to view the steps failures

heartbeat-build - Install Go/Mage/Python/Docker/Terraform 1.15.8
  • Took 0 min 1 sec . View more details on here
  • Description: .ci/scripts/install-tools.sh

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 46595
Skipped 4804
Total 51399

@adriansr
Update fields.ecs.yml from ECS 1.8-dev branch
c9d51a4
@adriansr
make update
1d6b885
@adriansr
Update ecs dependency to 1.8 branch
fc89c23
@adriansr
Fix packetbeat's test after ECS update
58c1b12 
Upgrading ECS Go definitions to 1.8 caused Packetbeat's HTTP event_test
to fail due to a couple of new ECS fields introduced in v1.7 not being
expected. Those are:

- request.mime_type
- response.mime_type

Packetbeat doesn't actually fill those fields. That task is acomplished
by the detect_mime_type processor.
@adriansr
fix linting of go.sum
e1670c8
@adriansr
Update NOTICE
394d596
@adriansr
Remove colliding fields in Auditbeat
795e788
@adriansr
Remove colliding fields from filebeat
376b26f
adriansr and others added 11 commits February 2, 2021 12:44
@adriansr
Add os.type field from ECS 1.8 (#23513)
d8cfad6 
Adds the host.os.type field introduced by ECS 1.8.0.

Possible values for this field are:
- linux
- macos
- unix
- windows

The field will be missing for OSes not in the list.

Related #23118
@adriansr
Merge branch 'master' into feature-ecs-1.8
0522fec
@marc-gr
[ECS] Winlogbeat ecs 1.8 changes (#23563)
cd4bcb2 
* User enhancements for powershell module

* User enhancements for security and sysmon module

* Add registry category to events

* Add session category to events

* Set target group when possible
@marc-gr
[Journalbeat][ecs] Journalbeat ecs 1.8 (#23737)
ee8edd0 
* Improve ECS mappings and upgrade to ecs 1.8

* Run mage update
@marc-gr
Upgrade cisco modules to ecs 1.8 (#23819)
1685e84
@marc-gr @adriansr
[ECS][Filebeat] Gsuite/Google Workspace ECS 1.8 (#23709)
0d45c3f 
* Add new ECS user and categories features to google_workspace/gsuite

* Update CHANGELOG.next.asciidoc

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>
@marc-gr
[ECS] Packetbeat ecs 1.8 (#23783)
d837c3e 
* Packetbeat changes for ECS 1.8

* Remove unused parameter
@adriansr
Merge remote-tracking branch 'upstream/master' into feature-ecs-1.8
60ac401
@adriansr
Update Auditbeat auditd module to ECS 1.8 (#23594)
c51272d 
Updates Auditbeat to new ECS 1.8.
- Support new user/group fields provided by go-libaudit.
- Support AUDIT_LOGIN.
- Adds golden file tests to auditd.
- Updates elastic/go-libaudit dependency to v2.2.0.
@marc-gr
Move logic to ingest pipeline nad upgrade ECS to 1.8.0 (#23875)
005266e
@adriansr
Update filebeat auditd module to ECS 1.8 (#23723)
5e868f8 
Update the auditd module in Filebeat to apply the same ECS enrichments as Auditbeat / go-libaudit.
This is achieved by an autogenerated processor that performs the enrichments defined in go-libaudit's
normalizations.yaml.
marc-gr and others added 3 commits February 12, 2021 10:35
@marc-gr
[ecs] Upgrade okta to ecs 1.8.0 and move js processor to ingest pipel…
ee269f0 
…ine (#23929)

* Upgrade okta to ecs 1.8.0 and move js processor to ingest pipeline

* Add description field and set _id properly
@adriansr
Update zoom module to ECS 1.8 (#23904)
c4b6fd2 
Updates zoom pipeline with new ECS 1.8 mappings (multiuser).
Fixes a couple of issues with the existing module:
- user events: missing mapping for event.category (wrongly mapped to event.type).
- chat_channel events: fixed an error in the pipeline that caused some events to be dropped on ingestion.
@adriansr
Merge branch 'master' into feature-ecs-1.8
4c884ad
@adriansr adriansr marked this pull request as ready for review February 12, 2021 17:40
@adriansr adriansr requested review from a team as code owners February 12, 2021 17:40
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Feb 12, 2021

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@adriansr adriansr added review and removed in progress Pull request is currently in progress. labels Feb 12, 2021
@adriansr adriansr changed the title [WIP] Update Beats to ECS 1.8 Update Beats to ECS 1.8.0 Feb 12, 2021
andrewkroh
andrewkroh approved these changes Feb 16, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM assuming CI is green. The changes in the feature branch were reviewed in their respective PRs.

@adriansr adriansr merged commit 048c3cc into master Feb 16, 2021
@adriansr adriansr mentioned this pull request Feb 16, 2021
Merged
28 tasks
adriansr added a commit to adriansr/beats that referenced this pull request Feb 17, 2021
@adriansr @marc-gr
Update Beats to ECS 1.8.0 (elastic#23465)
5ca7510 
Incorporates ECS 1.8 changes from the following PRs:

Support host.type field in add_host_metadata processor and Auditbeat's system/host elastic#23513

Winlogbeat elastic#23563

Auditbeat auditd elastic#23594

Journalbeat elastic#23737

Packetbeat elastic#23783

Filebeat:
    auditd elastic#23723
    cisco elastic#23819
    cef elastic#23832
    crowdstrike falcon elastic#23875
    fortinet firewall elastic#23902
    microsoft elastic#23897
    elasticsearch/audit elastic#24000
    Gsuite/Workspace elastic#23709
    o365 elastic#23896
    zoom elastic#23904
    okta elastic#23929
    aws/cloudtrail elastic#23911
    aws/s3access elastic#23920
    azure elastic#23927
    juniper/srx elastic#23936
    panw elastic#23931
    sophos/xg elastic#23967
    system/auth elastic#23961
    mysqlenterprise elastic#23978
    zeek elastic#23847

Make all Beats and modules report ECS 1.8.0 elastic#23992

Closes elastic#23118

Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
(cherry picked from commit 048c3cc)
adriansr added a commit that referenced this pull request Feb 17, 2021
@adriansr
Cherry-pick #23465 to 7.x: Update Beats to ECS 1.8.0 (#24072)
9d1db61 
Incorporates ECS 1.8 changes from the following PRs:

Support host.type field in add_host_metadata processor and Auditbeat's system/host #23513

Winlogbeat #23563

Auditbeat auditd #23594

Journalbeat #23737

Packetbeat #23783

Filebeat:
    auditd #23723
    cisco #23819
    cef #23832
    crowdstrike falcon #23875
    fortinet firewall #23902
    microsoft #23897
    elasticsearch/audit #24000
    Gsuite/Workspace #23709
    o365 #23896
    zoom #23904
    okta #23929
    aws/cloudtrail #23911
    aws/s3access #23920
    azure #23927
    juniper/srx #23936
    panw #23931
    sophos/xg #23967
    system/auth #23961
    mysqlenterprise #23978
    zeek #23847

Make all Beats and modules report ECS 1.8.0 #23992

Closes #23118

Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>

(cherry picked from commit 048c3cc)
v1v added a commit to v1v/beats that referenced this pull request Feb 17, 2021
@v1v
Merge remote-tracking branch 'upstream/master' into feature/packaging…
e737d7e 
…-arm

* upstream/master:
  [CI] install docker-compose with retry (elastic#24069)
  Add nodes to filebeat-kubernetes.yaml ClusterRole - fixes elastic#24051 (elastic#24052)
  updating manifest files for filebeat threatintel module (elastic#24074)
  Add Zeek Signatures (elastic#23772)
  Update Beats to ECS 1.8.0 (elastic#23465)
  Support running Docker logging plugin on ARM64 (elastic#24034)
  Fix ec2 metricset fields.yml and add integration test (elastic#23726)
  Only build targz and zip versions of Beats if PACKAGES is set in agent (elastic#24060)
  [Filebeat] Add field definitions for known Netflow/IPFIX vendor fields (elastic#23773)
  [Elastic Agent] Enroll with Fleet Server (elastic#23865)
  [Filebeat] Convert logstash logEvent.action objects to strings (elastic#23944)
  [Ingest Management] Fix reloading of log level for services (elastic#24055)
  Add Agent standalone k8s manifest (elastic#23679)
@axw axw mentioned this pull request Feb 17, 2021
Merged
v1v added a commit to v1v/beats that referenced this pull request Feb 17, 2021
@v1v
Merge remote-tracking branch 'upstream/master' into feature/retry-win…
e977e49 
…dows-7

* upstream/master: (332 commits)
  Use ECS v1.8.0 (elastic#24086)
  Add support for postgresql csv logs (elastic#23334)
  [Heartbeat] Refactor config system (elastic#23467)
  [CI] install docker-compose with retry (elastic#24069)
  Add nodes to filebeat-kubernetes.yaml ClusterRole - fixes elastic#24051 (elastic#24052)
  updating manifest files for filebeat threatintel module (elastic#24074)
  Add Zeek Signatures (elastic#23772)
  Update Beats to ECS 1.8.0 (elastic#23465)
  Support running Docker logging plugin on ARM64 (elastic#24034)
  Fix ec2 metricset fields.yml and add integration test (elastic#23726)
  Only build targz and zip versions of Beats if PACKAGES is set in agent (elastic#24060)
  [Filebeat] Add field definitions for known Netflow/IPFIX vendor fields (elastic#23773)
  [Elastic Agent] Enroll with Fleet Server (elastic#23865)
  [Filebeat] Convert logstash logEvent.action objects to strings (elastic#23944)
  [Ingest Management] Fix reloading of log level for services (elastic#24055)
  Add Agent standalone k8s manifest (elastic#23679)
  [Metricbeat][Kubernetes] Extend state_node with more conditions (elastic#23905)
  [CI] googleStorageUploadExt step (elastic#24048)
  Check fields are documented for aws metricsets (elastic#23887)
  Update go-concert to 0.1.0 (elastic#23770)
  ...
@v1v v1v deleted the feature-ecs-1.8 branch April 8, 2025 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

@P1llus P1llus Awaiting requested review from P1llus

@andrewstucki andrewstucki Awaiting requested review from andrewstucki

@leehinman leehinman Awaiting requested review from leehinman

Assignees

No one assigned

Labels

ecs enhancement review v7.12.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ECS] Upgrade modules to 1.8

4 participants

@adriansr @elasticmachine @andrewkroh @marc-gr