Skip to content

Commit

Permalink
Remove dot from file.extension value in Auditbeat FIM
Browse files Browse the repository at this point in the history
The ECS file.extension field should not include the dot. For example the value should be "png" and not ".png".

Relates elastic/ecs#1016
  • Loading branch information
andrewkroh committed Oct 7, 2020
1 parent 048a404 commit edf2ea5
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 3 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Change event.kind=error to event.kind=event to comply with ECS. {issue}18870[18870] {pull}20685[20685]
- Change network.direction values to ECS recommended values (inbound, outbound). {issue}12445[12445] {pull}20695[20695]
- Docker container needs to be explicitly run as user root for auditing. {pull}21202[21202]
- File integrity dataset no longer includes the leading dot in `file.extension` values (e.g. it will report "png" instead of ".png") to comply with ECS. {pull}21644[21644]

*Filebeat*

Expand Down
2 changes: 1 addition & 1 deletion auditbeat/module/file_integrity/event.go
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,7 @@ func buildMetricbeatEvent(e *Event, existedBefore bool) mb.Event {

if e.Info.Type == FileType {
if extension := filepath.Ext(e.Path); extension != "" {
file["extension"] = extension
file["extension"] = strings.TrimLeft(extension, ".")
}
if mimeType := getMimeType(e.Path); mimeType != "" {
file["mime_type"] = mimeType
Expand Down
11 changes: 9 additions & 2 deletions auditbeat/module/file_integrity/event_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import (
"time"

"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"

"github.com/elastic/beats/v7/libbeat/common"
)
Expand Down Expand Up @@ -295,7 +296,11 @@ func TestBuildEvent(t *testing.T) {
assertHasKey(t, fields, "event.type")

assertHasKey(t, fields, "file.path")
assertHasKey(t, fields, "file.extension")
if assertHasKey(t, fields, "file.extension") {
ext, err := fields.GetValue("file.extension")
require.NoError(t, err)
assert.Equal(t, ext, "txt")
}
assertHasKey(t, fields, "file.target_path")
assertHasKey(t, fields, "file.inode")
assertHasKey(t, fields, "file.uid")
Expand Down Expand Up @@ -427,10 +432,12 @@ func mustDecodeHex(v string) []byte {
return data
}

func assertHasKey(t testing.TB, m common.MapStr, key string) {
func assertHasKey(t testing.TB, m common.MapStr, key string) bool {
t.Helper()
found, err := m.HasKey(key)
if err != nil || !found {
t.Errorf("key %v not found: %v", key, err)
return false
}
return true
}

0 comments on commit edf2ea5

Please sign in to comment.