From 97adc6612ed6deca67ccc7049fc3e6803ebb5e7f Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Tue, 4 Feb 2020 20:33:11 -0600 Subject: [PATCH] fix mapping error for cloudtrail additonalEventData field (#16088) (cherry picked from commit 03d62ccf7b84d95993f2e0c73056b52da96faaa2) --- CHANGELOG.next.asciidoc | 1 + x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml | 4 ++-- .../aws/cloudtrail/test/console-login-json.log-expected.json | 2 ++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 4203654becc..6479a3f885c 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -55,6 +55,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add shared_credential_file to cloudtrail config {issue}15652[15652] {pull}15656[15656] - Fix typos in zeek notice fileset config file. {issue}15764[15764] {pull}15765[15765] - Prevent Elasticsearch from spewing log warnings about redundant wildcards when setting up ingest pipelines for the `elasticsearch` module. {issue}15840[15840] {pull}15900[15900] +- Fix mapping error for cloudtrail additionalEventData field {pull}16088[16088] *Heartbeat* diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml index 0c40e0188be..ddfff12c891 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml @@ -108,8 +108,8 @@ processors: - script: lang: painless source: | - if (ctx.json.additionalEventdata != null) { - ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventdata.toString(); + if (ctx.json.additionalEventData != null) { + ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventData.toString(); } ignore_failure: true - rename: diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json index ea7052e9a03..dc6f299be05 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json @@ -1,6 +1,7 @@ [ { "@timestamp": "2014-07-16T15:49:27.000Z", + "aws.cloudtrail.additional_eventdata": "{LoginTo=https://console.aws.amazon.com/s3/, MobileVersion=No, MFAUsed=No}", "aws.cloudtrail.event_version": "1.05", "aws.cloudtrail.response_elements": "{ConsoleLogin=Success}", "aws.cloudtrail.user_identity.arn": "arn:aws:iam::111122223333:user/JohnDoe", @@ -34,6 +35,7 @@ }, { "@timestamp": "2014-07-08T17:35:27.000Z", + "aws.cloudtrail.additional_eventdata": "{LoginTo=https://console.aws.amazon.com/sns, MobileVersion=No, MFAUsed=No}", "aws.cloudtrail.error_message": "Failed authentication", "aws.cloudtrail.event_version": "1.05", "aws.cloudtrail.response_elements": "{ConsoleLogin=Failure}",