fix event.type have incorrect value in system/syslog

event.type was being set to event. event is not one of the allowed values for event.type in ECS. Changing field to event.kind, where event is an allowed value. Closes elastic#20365
leehinman · Jul 31, 2020 · e5749ba · e5749ba
1 parent 43bbf51
commit e5749ba
Show file tree

Hide file tree

Showing 6 changed files with 110 additions and 109 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -231,6 +231,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix millisecond timestamp normalization issues in CrowdStrike module {issue}20035[20035], {pull}20138[20138]
 - Fix support for message code 106100 in Cisco ASA and FTD. {issue}19350[19350] {pull}20245[20245]
 - Fix `fortinet` setting `event.timezone` to the system one when no `tz` field present {pull}20273[20273]
+- Fix event.kind for system/syslog pipeline {issue}20365[20365] {pull}20390[20390]
 
 *Heartbeat*
 

diff --git a/filebeat/module/system/syslog/ingest/pipeline.yml b/filebeat/module/system/syslog/ingest/pipeline.yml
@@ -49,7 +49,7 @@ processors:
 - remove:
     field: system.syslog.timestamp
 - set:
-    field: event.type
+    field: event.kind
     value: event
 on_failure:
 - set:

diff --git a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json
@@ -1,9 +1,9 @@
 [
     {
         "event.dataset": "system.syslog",
+        "event.kind": "event",
         "event.module": "system",
         "event.timezone": "-02:00",
-        "event.type": "event",
         "fileset.name": "syslog",
         "host.hostname": "a-mac-with-esc-key",
         "input.type": "log",
@@ -18,9 +18,9 @@
     },
     {
         "event.dataset": "system.syslog",
+        "event.kind": "event",
         "event.module": "system",
         "event.timezone": "-02:00",
-        "event.type": "event",
         "fileset.name": "syslog",
         "host.hostname": "a-mac-with-esc-key",
         "input.type": "log",
@@ -32,9 +32,9 @@
     },
     {
         "event.dataset": "system.syslog",
+        "event.kind": "event",
         "event.module": "system",
         "event.timezone": "-02:00",
-        "event.type": "event",
         "fileset.name": "syslog",
         "input.type": "log",
         "log.offset": 1176,