Add os.type field from ECS 1.8 (elastic#23513)

Adds the host.os.type field introduced by ECS 1.8.0.

Possible values for this field are:
- linux
- macos
- unix
- windows

The field will be missing for OSes not in the list.

Related elastic#23118

CHANGELOG.next.asciidoc

@@ -599,6 +599,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add kubernetes.volume.fs.used.pct field. {pull}23564[23564]
 - Add the `enable_krb5_fast` flag to the Kafka output to explicitly opt-in to FAST authentication. {pull}23629[23629]
 - Add deployment name in pod's meta. {pull}23610[23610]
+- Added ECS 1.8 `host.os.type` field to `add_host_metadata` processor. {pull}23513[23513]
 
 *Auditbeat*
 
@@ -618,6 +619,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add ECS categorization info for auditd module {pull}18596[18596]
 - Add several improvements for auditd module for improved ECS field mapping {pull}22647[22647]
 - Add ECS 1.7 `configuration` categorization in certain events in auditd module. {pull}23000[23000]
+- system/host: Add new ECS 1.8 field `os.type` in `host.os.type`. {pull}23513[23513]
 
 *Filebeat*
 

NOTICE.txt

@@ -7665,11 +7665,11 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/go-structform@v
 
 --------------------------------------------------------------------------------
 Dependency : github.com/elastic/go-sysinfo
-Version: v1.3.0
+Version: v1.5.0
 Licence type (autodetected): Apache-2.0
 --------------------------------------------------------------------------------
 
-Contents of probable licence file $GOMODCACHE/github.com/elastic/go-sysinfo@v1.3.0/LICENSE.txt:
+Contents of probable licence file $GOMODCACHE/github.com/elastic/go-sysinfo@v1.5.0/LICENSE.txt:
 
 
                                  Apache License

auditbeat/docs/fields.asciidoc

@@ -12336,6 +12336,16 @@ type: keyword
 The operating system's kernel version.
 
 
+type: keyword
+
+--
+
+*`system.audit.host.os.type`*::
++
+--
+OS type (see ECS os.type).
+
+
 type: keyword
 
 --

go.mod

@@ -69,7 +69,7 @@ require (
 	github.com/elastic/go-perf v0.0.0-20191212140718-9c656876f595
 	github.com/elastic/go-seccomp-bpf v1.1.0
 	github.com/elastic/go-structform v0.0.7
-	github.com/elastic/go-sysinfo v1.3.0
+	github.com/elastic/go-sysinfo v1.5.0
 	github.com/elastic/go-txfile v0.0.7
 	github.com/elastic/go-ucfg v0.8.3
 	github.com/elastic/go-windows v1.0.1 // indirect

go.sum

@@ -274,8 +274,8 @@ github.com/elastic/go-seccomp-bpf v1.1.0/go.mod h1:l+89Vy5BzjVcaX8USZRMOwmwwDScE
 github.com/elastic/go-structform v0.0.7 h1:ihszOJQryNuIIHE2ZgsbiDq+agKO6V4yK0JYAI3tjzc=
 github.com/elastic/go-structform v0.0.7/go.mod h1:QrMyP3oM9Sjk92EVGLgRaL2lKt0Qx7ZNDRWDxB6khVs=
 github.com/elastic/go-sysinfo v1.1.1/go.mod h1:i1ZYdU10oLNfRzq4vq62BEwD2fH8KaWh6eh0ikPT9F0=
-github.com/elastic/go-sysinfo v1.3.0 h1:eb2XFGTMlSwG/yyU9Y8jVAYLIzU2sFzWXwo2gmetyrE=
-github.com/elastic/go-sysinfo v1.3.0/go.mod h1:i1ZYdU10oLNfRzq4vq62BEwD2fH8KaWh6eh0ikPT9F0=
+github.com/elastic/go-sysinfo v1.5.0 h1:6DBn+WmxLz+IJ9MY+MzX2rWQNd04vSRB3TSuXu/2JjU=
+github.com/elastic/go-sysinfo v1.5.0/go.mod h1:i1ZYdU10oLNfRzq4vq62BEwD2fH8KaWh6eh0ikPT9F0=
 github.com/elastic/go-txfile v0.0.7 h1:Yn28gclW7X0Qy09nSMSsx0uOAvAGMsp6XHydbiLVe2s=
 github.com/elastic/go-txfile v0.0.7/go.mod h1:H0nCoFae0a4ga57apgxFsgmRjevNCsEaT6g56JoeKAE=
 github.com/elastic/go-ucfg v0.7.0/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+FX0JKxzo=

libbeat/metric/system/host/host.go

@@ -53,7 +53,9 @@ func MapHostInfo(info types.HostInfo) common.MapStr {
 	if info.OS.Build != "" {
 		data.Put("host.os.build", info.OS.Build)
 	}
-
+	if info.OS.Type != "" {
+		data.Put("host.os.type", info.OS.Type)
+	}
 	return data
 }
 

libbeat/processors/add_host_metadata/add_host_metadata_test.go

@@ -75,6 +75,10 @@ func TestConfigDefault(t *testing.T) {
 	v, err = newEvent.GetValue("host.mac")
 	assert.NoError(t, err)
 	assert.NotNil(t, v)
+
+	v, err = newEvent.GetValue("host.os.type")
+	assert.NoError(t, err)
+	assert.NotNil(t, v)
 }
 
 func TestConfigNetInfoDisabled(t *testing.T) {
@@ -118,6 +122,10 @@ func TestConfigNetInfoDisabled(t *testing.T) {
 	v, err = newEvent.GetValue("host.mac")
 	assert.Error(t, err)
 	assert.Nil(t, v)
+
+	v, err = newEvent.GetValue("host.os.type")
+	assert.NoError(t, err)
+	assert.NotNil(t, v)
 }
 
 func TestConfigName(t *testing.T) {

libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc

@@ -57,6 +57,7 @@ The fields added to the event look like the following:
       "id":"",
       "os":{
          "family":"darwin",
+         "type":"macos",
          "build":"16G1212",
          "platform":"darwin",
          "version":"10.12.6",

x-pack/auditbeat/module/system/host/_meta/data.json

@@ -47,6 +47,7 @@
                 },
                 "timezone.name": "UTC",
                 "timezone.offset.sec": 0,
+                "type": "linux",
                 "uptime": 18661357350265
             }
         }

x-pack/auditbeat/module/system/host/_meta/fields.yml

@@ -77,3 +77,7 @@
       type: keyword
       description: >
         The operating system's kernel version.
+    - name: type
+      type: keyword
+      description: >
+        OS type (see ECS os.type).

x-pack/auditbeat/module/system/host/host.go

@@ -144,6 +144,10 @@ func (host *Host) toMapStr() common.MapStr {
 		mapstr.Put("os.codename", host.Info.OS.Codename)
 	}
 
+	if host.Info.OS.Type != "" {
+		mapstr.Put("os.type", host.Info.OS.Type)
+	}
+
 	var ipStrings []string
 	for _, ip := range host.Ips {
 		ipStrings = append(ipStrings, ip.String())
@@ -362,6 +366,7 @@ func hostEvent(host *Host, eventType string, action eventAction) mb.Event {
 	hostFields.CopyFieldsTo(hostTopLevel, "os.kernel")
 	hostFields.CopyFieldsTo(hostTopLevel, "os.name")
 	hostFields.CopyFieldsTo(hostTopLevel, "os.platform")
+	hostFields.CopyFieldsTo(hostTopLevel, "os.type")
 	hostFields.CopyFieldsTo(hostTopLevel, "os.version")
 
 	event.RootFields.Put("host", hostTopLevel)