[Filebeat] Ensure Kibana audit event.category and event.type are still processed as strings.
#25101
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
botelastic
bot
added
the
needs_team
lukeelmers
added
Filebeat
botelastic
bot
removed
the
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
thomheymann
reviewed
Apr 15, 2021
legrego
reviewed
Apr 15, 2021
|
Pinging @elastic/integrations (Team:Integrations) |
legrego
reviewed
Apr 15, 2021
There was a problem hiding this comment.
Thanks for addressing my earlier comments - I think this does exactly what we need it to do. Code changes LGTM, but I'm on PTO from now until after feature freeze, so I won't have a chance to pull this down to verify. It'd be great if @thomheymann or someone else from @elastic/kibana-security can do the official review/approval in my absence.
sayden
approved these changes
Apr 19, 2021
thomheymann
approved these changes
Apr 20, 2021
|
Thanks all!
Can confirm that this preserves the same formatting in both Discover and Logs UI. Here's an example log entry from both where the array logs ui discover |
lukeelmers
added
v7.13.0
v8.0.0
and removed
backport-v7.13.0
lukeelmers
added a commit
to lukeelmers/beats
that referenced
this pull request
Apr 20, 2021
…still processed as strings. (elastic#25101)
v1v
added a commit
to v1v/beats
that referenced
this pull request
Apr 21, 2021
…-github-pr-comment-template * upstream/master: Check native environment before starting (elastic#25186) Change event.code and winlog.event_id type (elastic#25176) [Ingest Manager] Proxy processes/elastic-agent to stats (elastic#25193) Update mergify backporting to 7.x and 7.13 (elastic#25196) [Heartbeat]: ensure synthetics version co* [Heartbeat]: ensure synthetics version compatability for suites * address review and fix notice * fix lowercase struct * fix version conflict and rebase * update go.* stuff to master * fix notice.txt * move validate inside sourcempatability for suites (elastic#24777) [Filebeat] Ensure Kibana audit `event.category` and `event.type` are still processed as strings. (elastic#25101) Update replace.asciidoc (elastic#25055) Fix nil panic when overwriting metadata (elastic#24741) [Filebeat] Add Malware Bazaar to Threat Intel Module (elastic#24570) Fix k8s svc selectors mapping (elastic#25169) [Ingest Manager] Make agent retry values for bootstraping configurable (elastic#25163) [Metricbeat] Remove elasticsearc.index.created from the SM code (elastic#25113)
v1v
added a commit
to v1v/beats
that referenced
this pull request
Apr 22, 2021
…ng-versions-stack * upstream/master: (28 commits) Add support for parsers in filestream input (elastic#24763) Skip flaky test TestFilestreamTruncate (elastic#25218) backport: Add 7.13 branch (elastic#25189) Update decode_json_fields.asciidoc (elastic#25056) [Elastic Agent] Fix status and inspect command to work inside running container (elastic#25204) Check native environment before starting (elastic#25186) Change event.code and winlog.event_id type (elastic#25176) [Ingest Manager] Proxy processes/elastic-agent to stats (elastic#25193) Update mergify backporting to 7.x and 7.13 (elastic#25196) [Heartbeat]: ensure synthetics version co* [Heartbeat]: ensure synthetics version compatability for suites * address review and fix notice * fix lowercase struct * fix version conflict and rebase * update go.* stuff to master * fix notice.txt * move validate inside sourcempatability for suites (elastic#24777) [Filebeat] Ensure Kibana audit `event.category` and `event.type` are still processed as strings. (elastic#25101) Update replace.asciidoc (elastic#25055) Fix nil panic when overwriting metadata (elastic#24741) [Filebeat] Add Malware Bazaar to Threat Intel Module (elastic#24570) Fix k8s svc selectors mapping (elastic#25169) [Ingest Manager] Make agent retry values for bootstraping configurable (elastic#25163) [Metricbeat] Remove elasticsearc.index.created from the SM code (elastic#25113) [Ingest Manager] Keep http and logging config during enroll (elastic#25132) Refactor kubernetes autodiscover to avoid skipping short-living pods (elastic#24742) [libbeat] New decode xml wineventlog processor (elastic#25115) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is my first PR to the Beats repo, please don't hesitate to let me know if there's anything important I'm missing ❤️
What does this PR do?
These changes affect the filebeat kibana module. In elastic/kibana#96350, we adjusted the
event.typeandevent.categoryfields in kibana's audit logs to be arrays instead of strings. To preserve backwards compatibility, this updates the audit ingest pipeline to pull the first value out of the array and send it as a string (there will only be one value in these arrays).Note: This should be merged in the same release as elastic/kibana#96350 (targeting 7.13)
Why is it important?
Kibana's core team is working to ensure that our new logging system adheres to ECS, and these were two existing fields we identified that should be changed.
Checklist
[ ] I have commented my code, particularly in hard-to-understand areas[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.cc @legrego @thomheymann