Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update ECS in auditbeat sessionmd processor #38994

Merged
merged 8 commits into from
Apr 18, 2024
Merged

Update ECS in auditbeat sessionmd processor #38994

merged 8 commits into from
Apr 18, 2024

Conversation

mjwolf
Copy link
Contributor

@mjwolf mjwolf commented Apr 16, 2024
edited
Loading

Proposed commit message

The sessionmd processor requires some of the latest process field from ECS, that are not currently in libbeat. This adds the required ECS field assets to the processor.

Without these fields, some field types would be incorrect. For example, session_leader.start should be date, but were sent as keyword.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

To verify this, build auditbeat, and run auditbeat export template and verify the template is correct. In particular, verify that process hassession_leader, entry_leader, and group_leader, and that start and end have type "date".

How to test this PR locally

Related issues

@mjwolf
Update ECS in auditbeat sessionmd processor
dbe55af 
The sessionmd processor requires the latest process field from ECS, so this
updates the ECS fields to the latest version, which has the required fields.
@mjwolf mjwolf requested review from andrewkroh and a team April 16, 2024 22:00
@mjwolf mjwolf requested a review from a team as a code owner April 16, 2024 22:00
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Apr 16, 2024
@mjwolf mjwolf added the Team:Security-Linux Platform Linux Platform Team in Security Solution label Apr 16, 2024
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Apr 16, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@mergify Mergify
Copy link
Contributor

mergify bot commented Apr 16, 2024

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @mjwolf? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

@mergify mergify bot assigned mjwolf Apr 16, 2024
@mjwolf mjwolf added the bugfix label Apr 16, 2024
@elasticmachine
Copy link
Collaborator

elasticmachine commented Apr 16, 2024
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2024-04-17T23:26:02.103+0000

  • Duration: 42 min 35 sec

Test stats 🧪

Test Results
Failed 0
Passed 467
Skipped 60
Total 527

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@mjwolf mjwolf added the backport-skip Skip notification from the automated backport with mergify label Apr 17, 2024
@mjwolf
Remove duplicate fields from sessionmd assets
0789e25 
Remove duplicate process fields that exist in the base `fields.ecs.yml`, and remove
some other fields that are not used in sessionmd.
@mjwolf
Merge remote-tracking branch 'origin/main' into sessionmd_ecs
7501f1d
@mjwolf
remove existing field
1b6ed51
@mjwolf
remove more duplicate fields
bbcdbfd
@mjwolf mjwolf enabled auto-merge (squash) April 17, 2024 23:25
@mjwolf mjwolf mentioned this pull request Apr 17, 2024
Closed
pkoutsovasilis
pkoutsovasilis approved these changes Apr 18, 2024
View reviewed changes
Copy link
Contributor

@pkoutsovasilis pkoutsovasilis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mjwolf mjwolf merged commit a0dfeea into elastic:main Apr 18, 2024
27 of 31 checks passed
@mjwolf mjwolf added backport-v8.14.0 Automated backport with mergify and removed backport-skip Skip notification from the automated backport with mergify labels Apr 18, 2024
@mjwolf mjwolf linked an issue Apr 22, 2024 that may be closed by this pull request
[Linux Integrations] [Auditbeat] Missing Fields causing Mapping conflicts #38989
Closed
@mjwolf mjwolf mentioned this pull request Apr 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pkoutsovasilis pkoutsovasilis pkoutsovasilis approved these changes

@andrewkroh andrewkroh Awaiting requested review from andrewkroh

Assignees

@mjwolf mjwolf

Labels
backport-v8.14.0 Automated backport with mergify bugfix Team:Security-Linux Platform Linux Platform Team in Security Solution
Projects
None yet
Milestone
No milestone
3 participants
@mjwolf @elasticmachine @pkoutsovasilis