system.auth - sync pipeline with Fleet integration (#32360)

Sync the pipeline for the system.auth dataset with the Fleet integration from elastic/integrations#3705. This removes the event.type authentication_failed and authentication_success values which are not allowed as per ECS. You can use event.category: authentication and event.outcome: success/failure to query instead.
elastic · Jul 20, 2022 · 475dd7e · 475dd7e
1 parent e41dc18
commit 475dd7e
Show file tree

Hide file tree

Showing 9 changed files with 238 additions and 240 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -109,6 +109,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - Extend list of mapped record types in o365 Audit module. {pull}32217[32217]
 - Add references for CRI-O configuration in input-container and in our kubernetes manifests {issue}32149[32149] {pull}32151[32151]
 - httpjson input: Add `replaceAll` helper function to template context. {pull}32365[32365]
+- Optimize grok patterns in system.auth module pipeline. {pull}32360[32360]
 
 *Auditbeat*
 

diff --git a/filebeat/docs/modules/system.asciidoc b/filebeat/docs/modules/system.asciidoc
@@ -70,6 +70,13 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+*`var.tags`*::
+
+A list of tags to include in events. Including `forwarded` indicates that the
+events did not originate on this host and causes `host.name` to not be added to
+events. Include `preserve_orginal_event` causes the pipeline to retain the raw
+log in `event.original`. Defaults to `[]`.
+
 include::../include/timezone-support.asciidoc[]
 
 [float]

diff --git a/filebeat/module/system/_meta/docs.asciidoc b/filebeat/module/system/_meta/docs.asciidoc
@@ -63,6 +63,13 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+*`var.tags`*::
+
+A list of tags to include in events. Including `forwarded` indicates that the
+events did not originate on this host and causes `host.name` to not be added to
+events. Include `preserve_orginal_event` causes the pipeline to retain the raw
+log in `event.original`. Defaults to `[]`.
+
 include::../include/timezone-support.asciidoc[]
 
 [float]

diff --git a/filebeat/module/system/auth/config/auth.yml b/filebeat/module/system/auth/config/auth.yml
@@ -4,12 +4,14 @@ paths:
  - {{$path}}
 {{ end }}
 exclude_files: [".gz$"]
+
 multiline:
   pattern: "^\\s"
   match: after
+
 processors:
   - add_locale: ~
-  - add_fields:
-      target: ''
-      fields:
-        ecs.version: 1.12.0
+
+tags: {{ .tags | tojson }}
+
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}