[Filebeat][auditd] Fix event types and categories to comply with ECS (e…

…lastic#20652) (elastic#20794) * Fix event types and categories to comply with ECS * Add CHANGELOG entry * Regenerate test files (cherry picked from commit 2eef257)
leweafan · Aug 27, 2020 · d3c3826 · d3c3826
1 parent 5eedcd7
commit d3c3826
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 13 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -72,6 +72,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fixing `ingress_controller.` fields to be of type keyword instead of text. {issue}17834[17834]
 - Fixed typo in log message. {pull}17897[17897]
 - Fix long registry migration times. {pull}20717[20717] {issue}20705[20705]
+- Fix event types and categories in auditd module to comply with ECS {pull}20652[20652]
 
 *Heartbeat*
 

diff --git a/filebeat/module/auditd/log/ingest/pipeline.yml b/filebeat/module/auditd/log/ingest/pipeline.yml
@@ -137,24 +137,44 @@ processors:
     value: event
 - set:
     if: "ctx.auditd.log?.record_type == 'USER_AUTH'"
-    field: event.type
+    field: event.category
     value: authentication
 - set:
-    if: "ctx.auditd.log?.record_type == 'KERN_MODULE'"
+    if: "ctx.auditd.log?.record_type == 'USER_AUTH'"
     field: event.type
+    value: info
+- set:
+    if: "ctx.auditd.log?.record_type == 'KERN_MODULE'"
+    field: event.category
     value: driver
 - set:
-    if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'"
+    if: "ctx.auditd.log?.record_type == 'KERN_MODULE'"
     field: event.type
+    value: info
+- set:
+    if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'"
+    field: event.category
     value: package
 - set:
-    if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'"
+    if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'"
     field: event.type
+    value: info
+- set:
+    if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'"
+    field: event.category
     value: host
 - set:
-    if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'"
+    if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'"
     field: event.type
+    value: info
+- set:
+    if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'"
+    field: event.category
     value: process
+- set:
+    if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'"
+    field: event.type
+    value: info
 - set:
     if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' || ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'"
     field: event.category

diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json
@@ -212,11 +212,12 @@
         "auditd.log.sequence": 19623789,
         "auditd.log.ses": "6793",
         "event.action": "user_auth",
+        "event.category": "authentication",
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
         "event.outcome": "success",
-        "event.type": "authentication",
+        "event.type": "info",
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 1926,
@@ -234,11 +235,12 @@
         "auditd.log.sequence": 19623807,
         "auditd.log.ses": "12286",
         "event.action": "user_auth",
+        "event.category": "authentication",
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
         "event.outcome": "success",
-        "event.type": "authentication",
+        "event.type": "info",
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 2122,

diff --git a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json
@@ -45,11 +45,12 @@
         "auditd.log.ses": "4294967295",
         "auditd.log.subj": "system_u:system_r:init_t:s0",
         "event.action": "system_boot",
+        "event.category": "host",
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
         "event.outcome": "success",
-        "event.type": "host",
+        "event.type": "info",
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 419,

diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json
@@ -167,11 +167,12 @@
         "auditd.log.sw": "gcc-4.8.5-39.el7.x86_64",
         "auditd.log.sw_type": "rpm",
         "event.action": "software_update",
+        "event.category": "package",
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
         "event.outcome": "success",
-        "event.type": "package",
+        "event.type": "info",
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 1893,
@@ -188,11 +189,12 @@
         "auditd.log.ses": "4294967295",
         "auditd.log.subj": "system_u:system_r:init_t:s0",
         "event.action": "system_boot",
+        "event.category": "host",
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
         "event.outcome": "success",
-        "event.type": "host",
+        "event.type": "info",
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 2196,
@@ -210,11 +212,12 @@
         "auditd.log.ses": "4294967295",
         "auditd.log.subj": "system_u:system_r:init_t:s0",
         "event.action": "system_shutdown",
+        "event.category": "host",
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
         "event.outcome": "success",
-        "event.type": "host",
+        "event.type": "info",
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 2438,
@@ -254,10 +257,11 @@
         "auditd.log.syscall": "execve",
         "auditd.log.tty": "pts0",
         "event.action": "syscall",
+        "event.category": "process",
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
-        "event.type": "process",
+        "event.type": "info",
         "fileset.name": "log",
         "host.architecture": "x86_64",
         "input.type": "log",
@@ -283,10 +287,11 @@
         "auditd.log.name": "mymodule",
         "auditd.log.sequence": 579397,
         "event.action": "kern_module",
+        "event.category": "driver",
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
-        "event.type": "driver",
+        "event.type": "info",
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 3153,