From db2c6172f45670047016deb72fb105d5d3db96ca Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 4 May 2020 11:09:57 -0400 Subject: [PATCH] [Auditbeat] Add system module process dataset ECS categorization fields (#18032) * [Auditbeat] Add system module process dataset ECS categorization fields * Add changelog entry (cherry picked from commit 4bf5d6288db81fa6605168fe15deba9119d3c267) --- CHANGELOG.next.asciidoc | 1 + .../module/system/process/process.go | 21 +++++++++++++++++-- .../module/system/process/process_test.go | 8 ++++--- 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 26f20739aad..48d7bc12a9f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -277,6 +277,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Log to stderr when running using reference kubernetes manifests. {pull}17443[174443] - Fix syscall kprobe arguments for 32-bit systems in socket module. {pull}17500[17500] - Fix memory leak on when we miss socket close kprobe events. {pull}17500[17500] +- Add system module process dataset ECS categorization fields. {pull}18032[18032] *Filebeat* diff --git a/x-pack/auditbeat/module/system/process/process.go b/x-pack/auditbeat/module/system/process/process.go index 48c6914142f..6c9e5a7db6a 100644 --- a/x-pack/auditbeat/module/system/process/process.go +++ b/x-pack/auditbeat/module/system/process/process.go @@ -66,6 +66,21 @@ func (action eventAction) String() string { } } +func (action eventAction) Type() string { + switch action { + case eventActionExistingProcess: + return "info" + case eventActionProcessStarted: + return "start" + case eventActionProcessStopped: + return "end" + case eventActionProcessError: + return "info" + default: + return "info" + } +} + func init() { mb.Registry.MustAddMetricSet(moduleName, metricsetName, New, mb.DefaultMetricSet(), @@ -319,8 +334,10 @@ func (ms *MetricSet) processEvent(process *Process, eventType string, action eve event := mb.Event{ RootFields: common.MapStr{ "event": common.MapStr{ - "kind": eventType, - "action": action.String(), + "kind": eventType, + "category": []string{"process"}, + "type": []string{action.Type()}, + "action": action.String(), }, "process": process.toMapStr(), "message": processMessage(process, action), diff --git a/x-pack/auditbeat/module/system/process/process_test.go b/x-pack/auditbeat/module/system/process/process_test.go index 18e64998618..2a33022ddef 100644 --- a/x-pack/auditbeat/module/system/process/process_test.go +++ b/x-pack/auditbeat/module/system/process/process_test.go @@ -66,9 +66,11 @@ func TestProcessEvent(t *testing.T) { } expectedRootFields := map[string]interface{}{ - "event.kind": "event", - "event.action": "process_started", - "message": "Process zsh (PID: 9086) by user elastic STARTED", + "event.kind": "event", + "event.category": []string{"process"}, + "event.type": []string{"start"}, + "event.action": "process_started", + "message": "Process zsh (PID: 9086) by user elastic STARTED", "process.pid": 9086, "process.ppid": 9085,