Skip to content

[Auditbeat] Cherry-pick #9732 to 6.6: User metricset: Fetch groups by user#9872

Merged
cwurm merged 1 commit intoelastic:6.6from
cwurm:backport_9732_6.6
Jan 4, 2019
Merged

[Auditbeat] Cherry-pick #9732 to 6.6: User metricset: Fetch groups by user#9872
cwurm merged 1 commit intoelastic:6.6from
cwurm:backport_9732_6.6

Conversation

@cwurm
Copy link
Copy Markdown
Contributor

@cwurm cwurm commented Jan 3, 2019

Cherry-pick of PR #9732 to 6.6 branch. Original message:

Currently, the user metricset reads all users, then reads all groups and their members and matches one to the other. This can be a problem when groups have a lot of members (see #9679).

This changes to looking up groups of individual users.

It also changes the types of the system.audit.user.uid and system.audit.user.gid fields from integer to keyword to accommodate Windows in the future (Go's User and Group structs use strings, so does ECS user.id/group.id).

Because the internal structure of the User struct changes, this invalidates previous beat.db files. I have not added any conversion logic this time since this metricset is not released yet - but we will have to do it in the future.

Fixes #9679.

[Auditbeat] User metricset: Fetch groups by user (elastic#9732)
3202128 
Changes the user metricset to looking up groups by user instead of users by groups.

Also changes the types of the system.audit.user.uid and system.audit.user.gid fields from integer to keyword to accommodate Windows in the future.

Fixes elastic#9679.

(cherry picked from commit 42421e9)
@cwurm cwurm changed the title Cherry-pick #9732 to 6.6: [Auditbeat] User metricset: Fetch groups by user [Auditbeat] Cherry-pick #9732 to 6.6: User metricset: Fetch groups by user Jan 3, 2019
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jan 3, 2019

Pinging @elastic/secops

webmat
webmat approved these changes Jan 3, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cwurm cwurm merged commit 4b6c147 into elastic:6.6 Jan 4, 2019
@cwurm cwurm deleted the backport_9732_6.6 branch January 4, 2019 11:03
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
[Auditbeat] Cherry-pick elastic#9732 to 6.6: User metricset: Fetch gr…
2f4c411 
…oups by user (elastic#9872)

Cherry-pick of PR elastic#9732 to 6.6 branch. Original message: 

Changes the user metricset to looking up groups by user instead of users by groups.

Also changes the types of the system.audit.user.uid and system.audit.user.gid fields from integer to keyword to accommodate Windows in the future.

Fixes elastic#9679.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

+1 more reviewer

@webmat webmat webmat approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Auditbeat backport review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cwurm @elasticmachine @webmat @andrewkroh