Filebeat system visualisation do not use ECS

[fkelbert]

With 7.0, some Filebeat system visualisation do not work, as they do not use proper ECS fields.

Specifically the visualisation:

• SSH users of failed login attempts [Filebeat System] ECS
• Successful SSH logins
• SSH login attempts

These visualisations should filter on field system.auth.ssh.event rather than event.action.

[ruflin]

Hi @fkelbert Thanks for reporting. This seems to be indeed a field that was renamed but should not have been renamed in the dashboards. @webmat Does this ring a bell on your end?

[webmat]

I agree the searches and visualizations should still use the custom fields. Here's what happened.

My initial PR #9138 to migrate the system module did migrate this field to the ECS field event.action.

But later, we decided to use a few of the event fields for guided categorization, and event.action is one of the fields that used for this. PR #11334 by @tsg made the corresponding change to the system module's pipeline, but the entry for system.auth.ssh.event => event.action was not removed from ecs-migration.yml.

We should indeed address this for the next patch release, should be straightforward to fix.

[webmat]

Hmmm, it seems like the ecs-migration.yml file doesn't contain this incorrect mapping anymore.

I'll fix the dashboards directly.

[webmat]

Fix for master is up: #11936. I'll backport to 7.0 as soon as it's merged.

The incorrect entry is no longer in ecs-migration.yml, as already mentioned. The list of breaking changes doesn't seem to contain this incorrect migration either. So I only really had to fix the dashboard itself.

[ruflin]

Thanks for the fix Mat.

[ruflin]

@webmat Not sure why this was reopend? Both PR's are merged.

[webmat]

Hmmm, it got auto-closed by my first merge to master, which was incorrect.

I reopened temporarily, but I assumed the merge of the backport would close it again. Looks like it didn't :-)

Closing now