fix mapping error for cloudtrail additonalEventData field (elastic#16088

) (cherry picked from commit 03d62cc)
leehinman · Feb 5, 2020 · bf12ea2 · bf12ea2
1 parent 064f4ee
commit bf12ea2
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 2 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -91,6 +91,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix typos in zeek notice fileset config file. {issue}15764[15764] {pull}15765[15765]
 - Fix mapping error when zeek weird logs do not contain IP addresses. {pull}15906[15906]
 - Prevent Elasticsearch from spewing log warnings about redundant wildcards when setting up ingest pipelines for the `elasticsearch` module. {issue}15840[15840] {pull}15900[15900]
+- Fix mapping error for cloudtrail additionalEventData field {pull}16088[16088]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml
@@ -108,8 +108,8 @@ processors:
   - script:
       lang: painless
       source: |
-        if (ctx.json.additionalEventdata != null) {
-          ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventdata.toString();
+        if (ctx.json.additionalEventData != null) {
+          ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventData.toString();
         }
       ignore_failure: true
   - rename:

diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json
@@ -1,6 +1,7 @@
 [
     {
         "@timestamp": "2014-07-16T15:49:27.000Z",
+        "aws.cloudtrail.additional_eventdata": "{LoginTo=https://console.aws.amazon.com/s3/, MobileVersion=No, MFAUsed=No}",
         "aws.cloudtrail.event_version": "1.05",
         "aws.cloudtrail.response_elements": "{ConsoleLogin=Success}",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::111122223333:user/JohnDoe",
@@ -34,6 +35,7 @@
     },
     {
         "@timestamp": "2014-07-08T17:35:27.000Z",
+        "aws.cloudtrail.additional_eventdata": "{LoginTo=https://console.aws.amazon.com/sns, MobileVersion=No, MFAUsed=No}",
         "aws.cloudtrail.error_message": "Failed authentication",
         "aws.cloudtrail.event_version": "1.05",
         "aws.cloudtrail.response_elements": "{ConsoleLogin=Failure}",