Import user.group changes from ECS (#10275)

This change enables us to nest the `group` field set at `user.group`, rather than being limited to only group name.

Imports the changes from ECS elastic/ecs#308, which solves elastic/ecs#304.

CHANGELOG.next.asciidoc

@@ -19,6 +19,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Remove port settings from Logstash and Redis output. {pull}9934[9934]
 - Fix registry handle leak on Windows (https://github.com/elastic/go-sysinfo/pull/33). {pull}9920[9920]
 - Rename `process.exe` to `process.executable` in add_process_metadata to align with ECS. {pull}9949[9949]
+- Import ECS change https://github.com/elastic/ecs/pull/308[ecs#308]:
+  leaf field `user.group` is now the `group` field set. {pull}10275[10275]
 
 *Auditbeat*
 - Rename `process.exe` to `process.executable` in auditd module to align with ECS. {pull}9949[9949]

NOTICE.txt

@@ -568,7 +568,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 --------------------------------------------------------------------
 Dependency: github.com/elastic/ecs
-Revision: 69de90eb6493e0804405321f48adfdfa488d6498
+Revision: 337ddd4674d6a28da97e6d19010c04c43db09e58
 License type (autodetected): Apache-2.0
 ./vendor/github.com/elastic/ecs/LICENSE.txt:
 --------------------------------------------------------------------

auditbeat/docs/fields.asciidoc

@@ -5591,12 +5591,29 @@ Useful if `user.id` or `user.name` contain confidential information and cannot b
 
 --
 
-*`user.group`*::
+[float]
+== group fields
+
+The group fields are meant to represent groups that are relevant to the event.
+
+
+
+*`user.group.id`*::
 +
 --
 type: keyword
 
-Group the user is a part of. This field can contain a list of groups, if necessary.
+Unique identifier for the group on the system/platform.
+
+
+--
+
+*`user.group.name`*::
++
+--
+type: keyword
+
+Name of the group.
 
 
 --

filebeat/docs/fields.asciidoc

@@ -3655,12 +3655,29 @@ Useful if `user.id` or `user.name` contain confidential information and cannot b
 
 --
 
-*`user.group`*::
+[float]
+== group fields
+
+The group fields are meant to represent groups that are relevant to the event.
+
+
+
+*`user.group.id`*::
 +
 --
 type: keyword
 
-Group the user is a part of. This field can contain a list of groups, if necessary.
+Unique identifier for the group on the system/platform.
+
+
+--
+
+*`user.group.name`*::
++
+--
+type: keyword
+
+Name of the group.
 
 
 --

heartbeat/docs/fields.asciidoc

@@ -3204,12 +3204,29 @@ Useful if `user.id` or `user.name` contain confidential information and cannot b
 
 --
 
-*`user.group`*::
+[float]
+== group fields
+
+The group fields are meant to represent groups that are relevant to the event.
+
+
+
+*`user.group.id`*::
 +
 --
 type: keyword
 
-Group the user is a part of. This field can contain a list of groups, if necessary.
+Unique identifier for the group on the system/platform.
+
+
+--
+
+*`user.group.name`*::
++
+--
+type: keyword
+
+Name of the group.
 
 
 --

journalbeat/docs/fields.asciidoc

@@ -3471,12 +3471,29 @@ Useful if `user.id` or `user.name` contain confidential information and cannot b
 
 --
 
-*`user.group`*::
+[float]
+== group fields
+
+The group fields are meant to represent groups that are relevant to the event.
+
+
+
+*`user.group.id`*::
 +
 --
 type: keyword
 
-Group the user is a part of. This field can contain a list of groups, if necessary.
+Unique identifier for the group on the system/platform.
+
+
+--
+
+*`user.group.name`*::
++
+--
+type: keyword
+
+Name of the group.
 
 
 --

libbeat/_meta/fields.ecs.yml

@@ -2126,11 +2126,25 @@
             cannot be used.
 
         - name: group
-          level: extended
-          type: keyword
+          title: Group
+          group: 2
           description: >
-            Group the user is a part of. This field can contain a list of groups, if
-            necessary.
+            The group fields are meant to represent groups that are relevant to the
+            event.
+          type: group
+          fields:
+
+            - name: id
+              level: extended
+              type: keyword
+              description: >
+                Unique identifier for the group on the system/platform.
+
+            - name: name
+              level: extended
+              type: keyword
+              description: >
+                Name of the group.
     
     - name: user_agent
       title: User agent

metricbeat/docs/fields.asciidoc

@@ -6491,12 +6491,29 @@ Useful if `user.id` or `user.name` contain confidential information and cannot b
 
 --
 
-*`user.group`*::
+[float]
+== group fields
+
+The group fields are meant to represent groups that are relevant to the event.
+
+
+
+*`user.group.id`*::
 +
 --
 type: keyword
 
-Group the user is a part of. This field can contain a list of groups, if necessary.
+Unique identifier for the group on the system/platform.
+
+
+--
+
+*`user.group.name`*::
++
+--
+type: keyword
+
+Name of the group.
 
 
 --

packetbeat/docs/fields.asciidoc

@@ -5106,12 +5106,29 @@ Useful if `user.id` or `user.name` contain confidential information and cannot b
 
 --
 
-*`user.group`*::
+[float]
+== group fields
+
+The group fields are meant to represent groups that are relevant to the event.
+
+
+
+*`user.group.id`*::
 +
 --
 type: keyword
 
-Group the user is a part of. This field can contain a list of groups, if necessary.
+Unique identifier for the group on the system/platform.
+
+
+--
+
+*`user.group.name`*::
++
+--
+type: keyword
+
+Name of the group.
 
 
 --

vendor/vendor.json

@@ -780,10 +780,10 @@
 			"revisionTime": "2016-08-05T00:47:13Z"
 		},
 		{
-			"checksumSHA1": "OZQRtN0dcKhClFiYq7sSq6h5Kz4=",
+			"checksumSHA1": "mV9PA1PnYJo4QiM3mhHLytX1S6o=",
 			"path": "github.com/elastic/ecs/code/go/ecs",
-			"revision": "69de90eb6493e0804405321f48adfdfa488d6498",
-			"revisionTime": "2019-01-07T15:19:54Z"
+			"revision": "337ddd4674d6a28da97e6d19010c04c43db09e58",
+			"revisionTime": "2019-01-23T18:47:14Z"
 		},
 		{
 			"checksumSHA1": "vNnw1bUS8Ct+8H64QuA2DWRJ9SQ=",

winlogbeat/docs/fields.asciidoc

@@ -3102,12 +3102,29 @@ Useful if `user.id` or `user.name` contain confidential information and cannot b
 
 --
 
-*`user.group`*::
+[float]
+== group fields
+
+The group fields are meant to represent groups that are relevant to the event.
+
+
+
+*`user.group.id`*::
 +
 --
 type: keyword
 
-Group the user is a part of. This field can contain a list of groups, if necessary.
+Unique identifier for the group on the system/platform.
+
+
+--
+
+*`user.group.name`*::
++
+--
+type: keyword
+
+Name of the group.
 
 
 --

x-pack/functionbeat/docs/fields.asciidoc

@@ -3083,12 +3083,29 @@ Useful if `user.id` or `user.name` contain confidential information and cannot b
 
 --
 
-*`user.group`*::
+[float]
+== group fields
+
+The group fields are meant to represent groups that are relevant to the event.
+
+
+
+*`user.group.id`*::
 +
 --
 type: keyword
 
-Group the user is a part of. This field can contain a list of groups, if necessary.
+Unique identifier for the group on the system/platform.
+
+
+--
+
+*`user.group.name`*::
++
+--
+type: keyword
+
+Name of the group.
 
 
 --