From 1495059c0ba8b13b482a961e8553063ad4b00cc3 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 2 Feb 2021 12:44:25 +0100 Subject: [PATCH] Add os.type field from ECS 1.8 (#23513) Adds the host.os.type field introduced by ECS 1.8.0. Possible values for this field are: - linux - macos - unix - windows The field will be missing for OSes not in the list. Related #23118 --- CHANGELOG.next.asciidoc | 2 ++ NOTICE.txt | 4 ++-- auditbeat/docs/fields.asciidoc | 10 ++++++++++ go.mod | 2 +- go.sum | 4 ++-- libbeat/metric/system/host/host.go | 4 +++- .../add_host_metadata/add_host_metadata_test.go | 8 ++++++++ .../add_host_metadata/docs/add_host_metadata.asciidoc | 1 + x-pack/auditbeat/module/system/fields.go | 2 +- x-pack/auditbeat/module/system/host/_meta/data.json | 1 + x-pack/auditbeat/module/system/host/_meta/fields.yml | 4 ++++ x-pack/auditbeat/module/system/host/host.go | 5 +++++ 12 files changed, 40 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 2d9dfe00b18..d479054b1ee 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -599,6 +599,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add kubernetes.volume.fs.used.pct field. {pull}23564[23564] - Add the `enable_krb5_fast` flag to the Kafka output to explicitly opt-in to FAST authentication. {pull}23629[23629] - Add deployment name in pod's meta. {pull}23610[23610] +- Added ECS 1.8 `host.os.type` field to `add_host_metadata` processor. {pull}23513[23513] *Auditbeat* @@ -618,6 +619,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add ECS categorization info for auditd module {pull}18596[18596] - Add several improvements for auditd module for improved ECS field mapping {pull}22647[22647] - Add ECS 1.7 `configuration` categorization in certain events in auditd module. {pull}23000[23000] +- system/host: Add new ECS 1.8 field `os.type` in `host.os.type`. {pull}23513[23513] *Filebeat* diff --git a/NOTICE.txt b/NOTICE.txt index 22432dae737..f0985619e43 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -7665,11 +7665,11 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/go-structform@v -------------------------------------------------------------------------------- Dependency : github.com/elastic/go-sysinfo -Version: v1.3.0 +Version: v1.5.0 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/go-sysinfo@v1.3.0/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/elastic/go-sysinfo@v1.5.0/LICENSE.txt: Apache License diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index 4f2c939d90c..d8f0217da6a 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -12336,6 +12336,16 @@ type: keyword The operating system's kernel version. +type: keyword + +-- + +*`system.audit.host.os.type`*:: ++ +-- +OS type (see ECS os.type). + + type: keyword -- diff --git a/go.mod b/go.mod index e6b7ee22b34..cc5c9629ce7 100644 --- a/go.mod +++ b/go.mod @@ -69,7 +69,7 @@ require ( github.com/elastic/go-perf v0.0.0-20191212140718-9c656876f595 github.com/elastic/go-seccomp-bpf v1.1.0 github.com/elastic/go-structform v0.0.7 - github.com/elastic/go-sysinfo v1.3.0 + github.com/elastic/go-sysinfo v1.5.0 github.com/elastic/go-txfile v0.0.7 github.com/elastic/go-ucfg v0.8.3 github.com/elastic/go-windows v1.0.1 // indirect diff --git a/go.sum b/go.sum index 1ed1330fac1..e8bcd3074c9 100644 --- a/go.sum +++ b/go.sum @@ -274,8 +274,8 @@ github.com/elastic/go-seccomp-bpf v1.1.0/go.mod h1:l+89Vy5BzjVcaX8USZRMOwmwwDScE github.com/elastic/go-structform v0.0.7 h1:ihszOJQryNuIIHE2ZgsbiDq+agKO6V4yK0JYAI3tjzc= github.com/elastic/go-structform v0.0.7/go.mod h1:QrMyP3oM9Sjk92EVGLgRaL2lKt0Qx7ZNDRWDxB6khVs= github.com/elastic/go-sysinfo v1.1.1/go.mod h1:i1ZYdU10oLNfRzq4vq62BEwD2fH8KaWh6eh0ikPT9F0= -github.com/elastic/go-sysinfo v1.3.0 h1:eb2XFGTMlSwG/yyU9Y8jVAYLIzU2sFzWXwo2gmetyrE= -github.com/elastic/go-sysinfo v1.3.0/go.mod h1:i1ZYdU10oLNfRzq4vq62BEwD2fH8KaWh6eh0ikPT9F0= +github.com/elastic/go-sysinfo v1.5.0 h1:6DBn+WmxLz+IJ9MY+MzX2rWQNd04vSRB3TSuXu/2JjU= +github.com/elastic/go-sysinfo v1.5.0/go.mod h1:i1ZYdU10oLNfRzq4vq62BEwD2fH8KaWh6eh0ikPT9F0= github.com/elastic/go-txfile v0.0.7 h1:Yn28gclW7X0Qy09nSMSsx0uOAvAGMsp6XHydbiLVe2s= github.com/elastic/go-txfile v0.0.7/go.mod h1:H0nCoFae0a4ga57apgxFsgmRjevNCsEaT6g56JoeKAE= github.com/elastic/go-ucfg v0.7.0/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+FX0JKxzo= diff --git a/libbeat/metric/system/host/host.go b/libbeat/metric/system/host/host.go index 0d143ed2499..6f5c9c15849 100644 --- a/libbeat/metric/system/host/host.go +++ b/libbeat/metric/system/host/host.go @@ -53,7 +53,9 @@ func MapHostInfo(info types.HostInfo) common.MapStr { if info.OS.Build != "" { data.Put("host.os.build", info.OS.Build) } - + if info.OS.Type != "" { + data.Put("host.os.type", info.OS.Type) + } return data } diff --git a/libbeat/processors/add_host_metadata/add_host_metadata_test.go b/libbeat/processors/add_host_metadata/add_host_metadata_test.go index c41c7696635..6120269395c 100644 --- a/libbeat/processors/add_host_metadata/add_host_metadata_test.go +++ b/libbeat/processors/add_host_metadata/add_host_metadata_test.go @@ -75,6 +75,10 @@ func TestConfigDefault(t *testing.T) { v, err = newEvent.GetValue("host.mac") assert.NoError(t, err) assert.NotNil(t, v) + + v, err = newEvent.GetValue("host.os.type") + assert.NoError(t, err) + assert.NotNil(t, v) } func TestConfigNetInfoDisabled(t *testing.T) { @@ -118,6 +122,10 @@ func TestConfigNetInfoDisabled(t *testing.T) { v, err = newEvent.GetValue("host.mac") assert.Error(t, err) assert.Nil(t, v) + + v, err = newEvent.GetValue("host.os.type") + assert.NoError(t, err) + assert.NotNil(t, v) } func TestConfigName(t *testing.T) { diff --git a/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc b/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc index 21d308b23c1..c2a3b52994e 100644 --- a/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc +++ b/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc @@ -57,6 +57,7 @@ The fields added to the event look like the following: "id":"", "os":{ "family":"darwin", + "type":"macos", "build":"16G1212", "platform":"darwin", "version":"10.12.6", diff --git a/x-pack/auditbeat/module/system/fields.go b/x-pack/auditbeat/module/system/fields.go index 2fc71f8ac33..24f8a73989d 100644 --- a/x-pack/auditbeat/module/system/fields.go +++ b/x-pack/auditbeat/module/system/fields.go @@ -19,5 +19,5 @@ func init() { // AssetSystem returns asset data. // This is the base64 encoded gzipped contents of module/system. func AssetSystem() string { - return "eJy0WU1v27gW3ftXXHTTBHAVxG2CwosHpC8PL8G002CSAt3ZlHgtcUyRGpJKov76AakPSzZlW44qIEBEk+ec+0VeSR9gjcUcdKENphMAwwzHObx7dAPvJgAUdaRYZpgUc/jPBADgKUGNQBSCSRBWDDnVEKNARQxSCAs3XmJCKmnOMZgAKORINM4hREMmUC2cTyYAH0CQFOeAzyiM4zBFhnOIlcwzd19Ptv/Xs6ViMRNuqF6wxuJFKlqNebTb67tbB3LldDrOAJ4SpiEiAkIEAivGETJiEjjDIA5gefFM1AWXsf0LLpfn0wZNKgdjJdWQlemRTDMpUBgwCTGg8yzjDKmbQokhNbZAw5lYL8+Dti9yjepoV6AwzBQLRod74/4WcsH+yZEXwKgFWhVMxE6l1QBSAIFEahPAvQHrJZlmuY000UDg8e7mw+zqGhKik41TSkfYVXB/Oy2B7D9E0PLG6g46NhhUKROEDzfhqVpZ01qCji8zJSPU+mh3tmzZnt4r4o7oBHWTVa8Y5YaEHG1qobVDu5IhPJaKmSR1VNo5xC54JjxHN6VBdB7EV0ARSYoUKItRm2qms29b/8aCkJM1zsLF7Op6g+fx6JY5X77e/PG/WdgE1GPOpIfp4+dPpzB9/PxpKNPV5ewUpqvL2bFMOiGz2SBzHu9uZrOjLdEJGeiux7ubAZ6y+IvhFrg1wziGpVfJcXxuOY4TPLUY6quBKeU4huXT1eXshIhcXc4uhsXE8QyOiuM5Pi6vr8n1IFN+/rzea0RjgIzWeHwH8JuOvVLF4eOuMqbBbI67EgCYkBSnwGVEONw/1P9lUpkpKEylQTdsz4Dq1v7W9YjrJQKSU+b3i8e+7pHQOtakNs2g72jb4y97LS3AEiIpDGGi7vl4aTcTK6lSYtcFrVXbXV99bWtsNT6ZYSl2iEulXIq4M1wSzoHmyvF2fmQiy82iniKIkBojKajuzJK5aU8j+pYU3hmZwohp55TLzu97/GWvH84aYKItIfCYHUppegynxOAQzi9SGrBYPp4qeqjYL6QeslBKjkQM4Xu0ub6q0sAWScPhE2CF/ZICA3vrEbC9kRwh4M9W813Dt3vQKbhO+8vj015BcrXSaAKN0THZd0DT00aHRbUZsCf6VuV4/rir0HxMzBf0Ezng/tZHQVSUMIORydWIBnVgq2en18/Xi+tP5z4RKfFF8QTubzf/BUKpQq3RGzuWeYi2Bg9w3D/sp5DaQ7G9cx9gWUrd2rtb2zWQUObGFYvM7EO8PQerc6e73+7s2e1theJOAu/z+kGffH9sQKd2eyGiqKKujUITJeeBV0nGibG2jaqkBq0URCiM1FPIw1yYfAovTFD5onsUje4X97KhVPKNRHbkZw/1iqSMF6OSl5AVvUKaEDMFiiEjYgorhRhqesgjz6j09oH9Vl0Vpp9wjUogH4/vyVMs73VFsyulyU0SrUmMb2rCKoy9tUwEMKEN4RwpSOW6y2ekNf/bGrTtrvuQM/e6cl8fXqsd3IjXV9OQV0hQbia2365HPFnTW7YnmvjQIvfx+IrhjVR7rKriPSZbBdnXCoxJ1e4BfHycRSjGta6C9J78ZY2N0rbXdBVmb/+u2a+jHo6OIrNgXpI8TYkqTgAsF/owc8XHDMuPv77u7q/NS/M2xZDN1QIc7JLsJF2+F99tk47fT39XgwDwo/uGfcdLbBvx7WzdJ4ENVzwu1/9tLHvJKFNjG/ZeQyJTtNAYGdlN7fabN+QjthcAD0rGiqRgJKhcADHAZcx6uhubkItWro7q8eolj/tq037JA98FfGUif52CSZi2J7Qtjhgjqcts78mInceWWqEM/8bIDBO4dHAHmqGiJNWbj1pMQ0aUsY3DWYiFrL7C5GXEM8XsLlau2mph/ZUM+6v5UBSOigQ0+b9b2rC35Db0TBiMcbtKBtL3lV9GtPYY1/e0eji2NeD+8DZRq2bDmZCmaiCrEWY08tXgSFrlvyuSNzuyLWwAD1JrFvL2F0FY6oRQ+bJo/NGDedYx2nXGtjBF+VbbYbhP2+fTjW8XlGkScqTLaQ/qUsgNs+Uoi50SEaOSuXb9uCikQPcBncsYmDh3bXYfYqSKzLRBXxIU3ZC52FjtF2iiCzdMQSOmugfUyDpL7OMPCsfhnnlKxJ3ot7pGos0iSqxB/aWz086V11HBfnKf/IvOHlMb+kK0EwCVgGDybwAAAP//v4QD6w==" + return "eJy0Wl1v27AVffevuOhLE8BVELcJCj8MSJtiCdauwZwCfbMp8VriQpEaSSVRf/1A6sOSTdmWowoIYNPkOed+kLyk8gGesJiDLrTBdAJgmOE4h3cL1/BuAkBRR4plhkkxh39MAAAeE9QIRCGYBGHNkFMNMQpUxCCFsHDtJSakkuYcgwmAQo5E4xxCNGQC1cD5ZALwAQRJcQ74jMI4DlNkOIdYyTxz3+vO9nPdWyoWM+Ga6gFPWLxIRas2j3b7/HTjQK6dTscZwGPCNEREQIhAYM04QkZMAmcYxAGsLp6JuuAytn/B5ep82qBJ5WCspBqyMj2SaSYFCgMmIQZ0nmWcIXVdKDGkxhZoOBNPq/Og7YtcozraFSgMM8WS0eHeuL+FXLD/5cgLYNQCrQsmYqfSagApgEAitQng3oD1kkyz3EaaaCCwuLv5MLu6hoToZOOU0hF2FNzfTksg+4EIWn6xuoOODQZVygThw014rEbWtJag48tMyQi1PtqdLVu2u/eKuCM6Qd1k1StGuSEhR5taaO3QbsoQHkvFTJI6Ku0cYgc8E56j69IgOg/iK6CIJEUKlMWoTdXT2betf2NByMkTzsLl7Op6g+fx6JY5X77f/OvbLGwC6jFn0sP08fOnU5g+fv40lOnqcnYK09Xl7FgmnZDZbJA5i7ub2exoS3RCBrprcXczwFMWfzncAjdmGMew9Co5js8tx3GCp5ZDfTUwpRzHsHy6upydEJGry9nFsJg4nsFRcTzHx+X1NbkeZMrv39d7jWgMkNETHl8B/KVtr1RxeLurjGkwm+2uBAAmJMUpcBkRDvcP9adMKjMFhak06JrtHlB9tb91PeJqiYDklPn94rGvuyW0tjWpTdPo29r2+Ms+KwuwgkgKQ5ioaz5e2s3EWqqU2HFBa9R21Vc/2xpbhU9mWIod4lIplyLuNJeEc6C5crydH5nIcrOsuwgipMZICqo7vWRu2t2IviWFt0emMGLaOeWy8/sef9nnl7MGmGhLCDxmh1KaHsMpMTiE84uUBiyWj6eKHir2B6mHLJSSIxFD+BY219dVGthJ0nD4BFhhf6TAwH71CNheSI4Q8O9W8V3Dt2vQKbhK+8vica8guV5rNIHG6JjsO6DpcaPDotoM2BN9q3I8f9xVaD4m5gv6iRxwf+ujICpKmMHI5GpEgzqw1dnp9fP18vrTuU9ESnxRPIH7x81XIJQq1Bq9sWOZh2ir8QDH/cN+Cqk9FNsr9wGWldSttbu1XAMJZW7cZJGZPcTbfbDad7rr7c6a3V5WKO4k8D6vH/TJz0UDOrXLCxFFFXVtFJooOQ+8SjJOjLVtVCU1aKUgQmGknkIe5sLkU3hhgsoX3aNodL+4y4ZSyQ8S2ZbfPdRrkjJejEpeQlb0CmlCzBQohoyIKawVYqjpIY88o9LbG/ZbdVWYfsInVAL5eHyPnsnyXlc0+6VY1lENt6PhTCPCt68LkDqwDS3HNxODRE8kxjdVgBXG3oWECGBCG8I5UpDKlbbPSGv+t1WH2yX/IQfudd++Q0CtdvApoH6a00CFBOVKZov9usWTJ71rxokmPrTIfTy+mfhGqj1WVfEek62C7KtDxqRqFyA+Ps4iFONaV0F6y45yjo1yZqjpKszew4Nmf446mR1FZsG8JHmaElWcAFgO9GHmio8Zll//+b67vjY39m2KIYurBThYotlOuryU363Rjl9P/1Z1AvCre72/4yW2jfh2tu4xZMMVj8v1TxvLXjLK1NiGvdeQyBQtNEZGdlO7fe2HfMTaBuBByViRFIwElQsgBriMWU89YxNy2crVUT1e3TC5V0btGyb4KeA7E/nrFEzCtN2h7eSIMZK6zPaejNg5M9UKZfhfjMwwgSsHd6AYKkpSvXmjxjRkRBlbOJyFWMjqFVBeRjxTzK5i5ait+tk/k2H/bD4UhaMiAU3+705t2DvlNvRMGIxxe5YMpO+bfhnR2mNc31H5cGxrwP3hbaJW9YYzIU1VQFYtzGjk68GR9JwTYKxI3uzItrABPEitWcjbryNhpRNC5cuy8UcP5lnHaFcZ24kpyit1h+Heq59PN75dUqZJyJGupj2oKyE3zJajnOyUiBiVzLWrx0UhBbq391zGwMS5K7P7ECNVZKYN+pKg6IbMxcZqv0ATXbhmChox1T2gRtZZYo8/KByHO/OUiDvRb1WNRJtllFiD+qfOTjlXPkcF+9H9v0HRWWNqQ1+IdgKgEhBM/h8AAP//gcIhxw==" } diff --git a/x-pack/auditbeat/module/system/host/_meta/data.json b/x-pack/auditbeat/module/system/host/_meta/data.json index e0b0818dcae..a4494027c6b 100644 --- a/x-pack/auditbeat/module/system/host/_meta/data.json +++ b/x-pack/auditbeat/module/system/host/_meta/data.json @@ -47,6 +47,7 @@ }, "timezone.name": "UTC", "timezone.offset.sec": 0, + "type": "linux", "uptime": 18661357350265 } } diff --git a/x-pack/auditbeat/module/system/host/_meta/fields.yml b/x-pack/auditbeat/module/system/host/_meta/fields.yml index 642a3c44962..3d6ca173d83 100644 --- a/x-pack/auditbeat/module/system/host/_meta/fields.yml +++ b/x-pack/auditbeat/module/system/host/_meta/fields.yml @@ -77,3 +77,7 @@ type: keyword description: > The operating system's kernel version. + - name: type + type: keyword + description: > + OS type (see ECS os.type). diff --git a/x-pack/auditbeat/module/system/host/host.go b/x-pack/auditbeat/module/system/host/host.go index 9aa0f7fb2e7..3a4bb38dee9 100644 --- a/x-pack/auditbeat/module/system/host/host.go +++ b/x-pack/auditbeat/module/system/host/host.go @@ -144,6 +144,10 @@ func (host *Host) toMapStr() common.MapStr { mapstr.Put("os.codename", host.Info.OS.Codename) } + if host.Info.OS.Type != "" { + mapstr.Put("os.type", host.Info.OS.Type) + } + var ipStrings []string for _, ip := range host.Ips { ipStrings = append(ipStrings, ip.String()) @@ -362,6 +366,7 @@ func hostEvent(host *Host, eventType string, action eventAction) mb.Event { hostFields.CopyFieldsTo(hostTopLevel, "os.kernel") hostFields.CopyFieldsTo(hostTopLevel, "os.name") hostFields.CopyFieldsTo(hostTopLevel, "os.platform") + hostFields.CopyFieldsTo(hostTopLevel, "os.type") hostFields.CopyFieldsTo(hostTopLevel, "os.version") event.RootFields.Put("host", hostTopLevel)