From d933157fba418be889564a2b664af28ebf7ed4cf Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 21:53:15 -0500 Subject: [PATCH 1/8] Update eventreader_test.go --- auditbeat/module/file_integrity/eventreader_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/auditbeat/module/file_integrity/eventreader_test.go b/auditbeat/module/file_integrity/eventreader_test.go index a00367f350ad..53db8b28c3e2 100644 --- a/auditbeat/module/file_integrity/eventreader_test.go +++ b/auditbeat/module/file_integrity/eventreader_test.go @@ -41,7 +41,7 @@ func init() { const ErrorSharingViolation syscall.Errno = 32 func TestEventReader(t *testing.T) { - t.Skip("Flaky test: about 1/10 of bulds fails https://github.com/elastic/beats/issues/21302") + t.Skip("Flaky test: about 1/10 of builds fails https://github.com/elastic/beats/issues/21302") // Make dir to monitor. dir, err := ioutil.TempDir("", "audit") if err != nil { @@ -241,7 +241,7 @@ func TestEventReader(t *testing.T) { } func TestRaces(t *testing.T) { - t.Skip("Flaky test: about 1/20 of bulds fails https://github.com/elastic/beats/issues/21303") + t.Skip("Flaky test: about 1/20 of builds fails https://github.com/elastic/beats/issues/21303") const ( fileMode os.FileMode = 0640 N = 100 From 4884803692f0786a5f33f28c5fe1fde2fe0fedba Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 21:54:21 -0500 Subject: [PATCH 2/8] Update kubectl.go --- dev-tools/mage/kubernetes/kubectl.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dev-tools/mage/kubernetes/kubectl.go b/dev-tools/mage/kubernetes/kubectl.go index f69edcc40101..4cc757a6905e 100644 --- a/dev-tools/mage/kubernetes/kubectl.go +++ b/dev-tools/mage/kubernetes/kubectl.go @@ -28,7 +28,7 @@ import ( "github.com/magefile/mage/sh" ) -// KubectlApply applys the manifest file to the kubernetes cluster. +// KubectlApply applies the manifest file to the kubernetes cluster. // // KUBECONFIG must be in `env` to target a specific cluster. func KubectlApply(env map[string]string, stdout, stderr io.Writer, filepath string) error { @@ -60,7 +60,7 @@ func KubectlDelete(env map[string]string, stdout, stderr io.Writer, filepath str return err } -// KubectlApplyInput applys the manifest string to the kubernetes cluster. +// KubectlApplyInput applies the manifest string to the kubernetes cluster. // // KUBECONFIG must be in `env` to target a specific cluster. func KubectlApplyInput(env map[string]string, stdout, stderr io.Writer, manifest string) error { From b01361917e4113b5e56776bb7d82477e276161a7 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 21:54:54 -0500 Subject: [PATCH 3/8] Update integtest.go --- dev-tools/mage/integtest.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-tools/mage/integtest.go b/dev-tools/mage/integtest.go index 16321fa90326..f36189c1b8ec 100644 --- a/dev-tools/mage/integtest.go +++ b/dev-tools/mage/integtest.go @@ -135,7 +135,7 @@ type IntegrationTester interface { Use(dir string) (bool, error) // HasRequirements returns an error if requirements are missing. HasRequirements() error - // Test performs excecuting the test inside the environment. + // Test performs executing the test inside the environment. Test(dir string, mageTarget string, env map[string]string) error // InsideTest performs the actual test on the inside of environment. InsideTest(test func() error) error From a4ed9e183f4bc3947f7b75f7be1bd0d8228c3ef5 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 21:55:27 -0500 Subject: [PATCH 4/8] Update gotest_test.go --- dev-tools/mage/gotest_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-tools/mage/gotest_test.go b/dev-tools/mage/gotest_test.go index f88186a19107..b3689c8ff314 100644 --- a/dev-tools/mage/gotest_test.go +++ b/dev-tools/mage/gotest_test.go @@ -139,7 +139,7 @@ func TestGoTest_CaptureOutput(t *testing.T) { output := buf.String() if !re.MatchString(output) { - t.Fatalf("GoTest output missmatch:\nwant:\n%v\n\ngot:\n%v", test.want, output) + t.Fatalf("GoTest output mismatch:\nwant:\n%v\n\ngot:\n%v", test.want, output) } }) } From 80728b11525182159c81f02504ad504a0f72fab7 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 21:56:15 -0500 Subject: [PATCH 5/8] Update jenkins_release.sh --- dev-tools/jenkins_release.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-tools/jenkins_release.sh b/dev-tools/jenkins_release.sh index cd22480c7e36..02950637610d 100755 --- a/dev-tools/jenkins_release.sh +++ b/dev-tools/jenkins_release.sh @@ -45,7 +45,7 @@ cleanup() { trap cleanup EXIT # This controls the defaults used the Jenkins package job. They can be -# overridden by setting them in the environement prior to running this script. +# overridden by setting them in the environment prior to running this script. export SNAPSHOT="${SNAPSHOT:-true}" export PLATFORMS="${PLATFORMS:-+linux/armv7 +linux/ppc64le +linux/s390x +linux/mips64}" From 7d6a2b5c62559e938e999bc168f6375349d1b059 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 21:56:36 -0500 Subject: [PATCH 6/8] Update ecs-migration.yml --- dev-tools/ecs-migration.yml | 166 ++++++++++++++++++++++++++++++++++-- 1 file changed, 158 insertions(+), 8 deletions(-) diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml index fba03edb34e1..cb4b9d8b8d70 100644 --- a/dev-tools/ecs-migration.yml +++ b/dev-tools/ecs-migration.yml @@ -54,7 +54,7 @@ alias6: true alias: true -- from: docker.container.labels # TODO: How to map these? +- from: docker.container.labels # TODO: How to map these? to: container.labels alias6: false alias: true @@ -115,8 +115,8 @@ - from: source to: - - log.file.path - - log.source.address + - log.file.path + - log.source.address alias: false beat: filebeat @@ -428,7 +428,7 @@ beat: filebeat - from: suricata.eve.timestamp - to: "@timestamp" + to: '@timestamp' alias: true beat: filebeat @@ -476,7 +476,7 @@ beat: filebeat - from: system.auth.timestamp - to: "@timestamp" + to: '@timestamp' alias: true beat: filebeat @@ -560,6 +560,155 @@ alias: true beat: filebeat +## Apache module + +- from: apache2.access.remote_ip + to: source.address + alias: true + beat: filebeat + +- from: apache2.access.user_name + to: user.name + alias: true + beat: filebeat + +- from: apache2.access.method + to: http.request.method + alias: true + beat: filebeat + +- from: apache2.access.url + to: url.original + alias: true + beat: filebeat + +- from: apache2.access.http_version + to: http.version + alias: true + beat: filebeat + +- from: apache2.access.response_code + to: http.response.status_code + alias: true + beat: filebeat + +- from: apache2.access.referrer + to: http.request.referrer + alias: true + beat: filebeat + +- from: apache2.access.agent + to: user_agent.original + alias: true + beat: filebeat + +- from: apache2.access.body_sent.bytes + to: http.response.body.bytes + alias: true + beat: filebeat + +- from: apache2.access.geoip.continent_name + to: source.geo.continent_name + alias: true + beat: filebeat + +- from: apache2.access.geoip.country_iso_code + to: source.geo.country_iso_code + alias: true + beat: filebeat + +- from: apache2.access.geoip.location + to: source.geo.location + alias: true + beat: filebeat + +- from: apache2.access.geoip.region_name + to: source.geo.region_name + alias: true + beat: filebeat + +- from: apache2.access.geoip.city_name + to: source.geo.city_name + alias: true + beat: filebeat + +- from: apache2.access.geoip.region_iso_code + to: source.geo.region_iso_code + alias: true + beat: filebeat + +- from: apache2.access.user_agent.original + to: user_agent.original + alias: true + beat: filebeat +- from: apache2.access.user_agent.device + to: user_agent.device.name + alias: true + beat: filebeat +- from: apache2.access.user_agent.name + to: user_agent.name + alias: true + beat: filebeat +- from: apache2.access.user_agent.os + to: user_agent.os.full_name + alias: true + beat: filebeat +- from: apache2.access.user_agent.os_name + to: user_agent.os.name + alias: true + beat: filebeat + +- from: apache2.access.user_agent.major + to: user_agent.version + alias: false + beat: filebeat +- from: apache2.access.user_agent.minor + to: user_agent.version + alias: false + beat: filebeat +- from: apache2.access.user_agent.patch + to: user_agent.version + alias: false + beat: filebeat +- from: apache2.access.user_agent.os_major + to: user_agent.os.version + alias: false + beat: filebeat +- from: apache2.access.user_agent.os_minor + to: user_agent.os.version + alias: false + beat: filebeat +- from: apache2.access.user_agent.os_patch + to: user_agent.os.version + alias: false + beat: filebeat + +### Error fileset +- from: apache2.error.message + to: message + alias: true + beat: filebeat + +- from: apache2.error.level + to: log.level + alias: true + beat: filebeat + +- from: apache2.error.client + to: source.address + alias: true + beat: filebeat + +- from: apache2.error.pid + to: process.pid + alias: true + beat: filebeat + +- from: apache2.error.tid + to: process.thread.id + alias: true + beat: filebeat + ## Elasticsearch module - from: elasticsearch.audit.origin_address @@ -1599,6 +1748,7 @@ alias: true beat: metricbeat + ### Redis - from: php_fpm.status.pid @@ -1872,7 +2022,7 @@ - from: method to: http.request.method alias: false - comment: Field is used by serveral protocols. + comment: Field is used by several protocols. beat: packetbeat - from: path @@ -1883,7 +2033,7 @@ - from: real_ip to: network.forwarded_ip alias: false - comment: Field is used by serveral protocols. + comment: Field is used by several protocols. beat: packetbeat ## MySQL @@ -1891,7 +2041,7 @@ to: status alias: false comment: > - Status reflects whether or not an error occured. Its values are either + Status reflects whether or not an error occurred. Its values are either OK or Error. beat: packetbeat From 812512c8b758ff18a0a71d683415ca7f3dcd81e6 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Sep 2021 21:57:05 -0500 Subject: [PATCH 7/8] Update fileinfo_windows.go --- auditbeat/module/file_integrity/fileinfo_windows.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auditbeat/module/file_integrity/fileinfo_windows.go b/auditbeat/module/file_integrity/fileinfo_windows.go index 7c3ff0e3fdf0..d80c549368f4 100644 --- a/auditbeat/module/file_integrity/fileinfo_windows.go +++ b/auditbeat/module/file_integrity/fileinfo_windows.go @@ -93,7 +93,7 @@ func fileOwner(path string) (sid, owner string, err error) { } defer syscall.LocalFree((syscall.Handle)(unsafe.Pointer(securityDescriptor))) - // Covert SID to a string and lookup the username. + // Convert SID to a string and lookup the username. var errs multierror.Errors sid, err = securityID.String() if err != nil { From d532a766fdeef87a53cdb1ba6824744d5c5f63e5 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 3 Nov 2021 10:08:02 +0100 Subject: [PATCH 8/8] Remove apache2 aliases --- dev-tools/ecs-migration.yml | 149 ------------------------------------ 1 file changed, 149 deletions(-) diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml index cb4b9d8b8d70..39bc49505646 100644 --- a/dev-tools/ecs-migration.yml +++ b/dev-tools/ecs-migration.yml @@ -560,155 +560,6 @@ alias: true beat: filebeat -## Apache module - -- from: apache2.access.remote_ip - to: source.address - alias: true - beat: filebeat - -- from: apache2.access.user_name - to: user.name - alias: true - beat: filebeat - -- from: apache2.access.method - to: http.request.method - alias: true - beat: filebeat - -- from: apache2.access.url - to: url.original - alias: true - beat: filebeat - -- from: apache2.access.http_version - to: http.version - alias: true - beat: filebeat - -- from: apache2.access.response_code - to: http.response.status_code - alias: true - beat: filebeat - -- from: apache2.access.referrer - to: http.request.referrer - alias: true - beat: filebeat - -- from: apache2.access.agent - to: user_agent.original - alias: true - beat: filebeat - -- from: apache2.access.body_sent.bytes - to: http.response.body.bytes - alias: true - beat: filebeat - -- from: apache2.access.geoip.continent_name - to: source.geo.continent_name - alias: true - beat: filebeat - -- from: apache2.access.geoip.country_iso_code - to: source.geo.country_iso_code - alias: true - beat: filebeat - -- from: apache2.access.geoip.location - to: source.geo.location - alias: true - beat: filebeat - -- from: apache2.access.geoip.region_name - to: source.geo.region_name - alias: true - beat: filebeat - -- from: apache2.access.geoip.city_name - to: source.geo.city_name - alias: true - beat: filebeat - -- from: apache2.access.geoip.region_iso_code - to: source.geo.region_iso_code - alias: true - beat: filebeat - -- from: apache2.access.user_agent.original - to: user_agent.original - alias: true - beat: filebeat -- from: apache2.access.user_agent.device - to: user_agent.device.name - alias: true - beat: filebeat -- from: apache2.access.user_agent.name - to: user_agent.name - alias: true - beat: filebeat -- from: apache2.access.user_agent.os - to: user_agent.os.full_name - alias: true - beat: filebeat -- from: apache2.access.user_agent.os_name - to: user_agent.os.name - alias: true - beat: filebeat - -- from: apache2.access.user_agent.major - to: user_agent.version - alias: false - beat: filebeat -- from: apache2.access.user_agent.minor - to: user_agent.version - alias: false - beat: filebeat -- from: apache2.access.user_agent.patch - to: user_agent.version - alias: false - beat: filebeat -- from: apache2.access.user_agent.os_major - to: user_agent.os.version - alias: false - beat: filebeat -- from: apache2.access.user_agent.os_minor - to: user_agent.os.version - alias: false - beat: filebeat -- from: apache2.access.user_agent.os_patch - to: user_agent.os.version - alias: false - beat: filebeat - -### Error fileset -- from: apache2.error.message - to: message - alias: true - beat: filebeat - -- from: apache2.error.level - to: log.level - alias: true - beat: filebeat - -- from: apache2.error.client - to: source.address - alias: true - beat: filebeat - -- from: apache2.error.pid - to: process.pid - alias: true - beat: filebeat - -- from: apache2.error.tid - to: process.thread.id - alias: true - beat: filebeat - ## Elasticsearch module - from: elasticsearch.audit.origin_address