Merge pull request #689 from andrewkroh/feature/1-1-wlb-rename-fields

Winlogbeat Rename Fields
elastic · Jan 12, 2016 · e73179a · e73179a
2 parents 3732c5a + c4e391b
commit e73179a
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 42 deletions.
diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc
@@ -66,7 +66,7 @@ Contains data from a Windows event log record.
 
 
 
-==== computerName
+==== computer_name
 
 type: string
 
@@ -84,7 +84,7 @@ required: False
 The category for this event. The meaning of this value depends on the event source.
 
 
-==== eventID
+==== event_id
 
 type: long
 
@@ -93,7 +93,7 @@ required: True
 The event identifier. The value is specific to the source of the event.
 
 
-==== eventLogName
+==== log_name
 
 type: string
 
@@ -120,7 +120,7 @@ required: False
 The message from the event log record.
 
 
-==== messageError
+==== message_error
 
 type: string
 
@@ -129,7 +129,7 @@ required: False
 The error that occurred while reading and formatting the message from the log. This field is mutually exclusive with `message`.
 
 
-==== messageInserts
+==== message_inserts
 
 type: list
 
@@ -138,16 +138,16 @@ required: False
 The raw message data logged by an application. Normally this data is inserted into parameterized string to create `message`, but in case of an error Winlogbeat attempts to provide this raw data. This field is mutually exclusive with `message`.
 
 
-==== recordNumber
+==== record_number
 
 type: string
 
 required: True
 
-The record number of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches 4294967295, the next record number will be 0.
+The record number of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for Window Event Log API), the next record number will be 0.
 
 
-==== sourceName
+==== source_name
 
 type: string
 
@@ -166,6 +166,8 @@ required: False
 
 The Windows security identifier (SID) of the account associated with this event.
 
+If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.
+
 
 ==== user.name
 

diff --git a/winlogbeat/etc/fields.yml b/winlogbeat/etc/fields.yml
@@ -56,7 +56,7 @@ eventlog:
   description: >
     Contains data from a Windows event log record.
   fields:
-    - name: computerName
+    - name: computer_name
       type: string
       required: true
       description: >
@@ -70,13 +70,13 @@ eventlog:
         The category for this event. The meaning of this value depends on the
         event source.
 
-    - name: eventID
+    - name: event_id
       type: long
       required: true
       description: >
         The event identifier. The value is specific to the source of the event.
 
-    - name: eventLogName
+    - name: log_name
       type: string
       required: true
       description: >
@@ -96,14 +96,14 @@ eventlog:
       description: >
         The message from the event log record.
 
-    - name: messageError
+    - name: message_error
       type: string
       required: false
       description: >
         The error that occurred while reading and formatting the message from
         the log. This field is mutually exclusive with `message`.
 
-    - name: messageInserts
+    - name: message_inserts
       type: list
       required: false
       description: >
@@ -112,16 +112,17 @@ eventlog:
         an error Winlogbeat attempts to provide this raw data. This field is
         mutually exclusive with `message`.
 
-    - name: recordNumber
+    - name: record_number
       type: string
       required: true
       description: >
         The record number of the event log record. The first record written
         to an event log is record number 1, and other records are numbered
-        sequentially. If the record number reaches 4294967295, the next record
-        number will be 0.
+        sequentially. If the record number reaches the maximum value (2^32^
+        for the Event Logging API and 2^64^ for Window Event Log API), the next
+        record number will be 0.
 
-    - name: sourceName
+    - name: source_name
       type: string
       required: true
       description: >
@@ -136,6 +137,12 @@ eventlog:
         The Windows security identifier (SID) of the account associated with
         this event.
 
+
+        If Winlogbeat cannot resolve the SID to a name, then the `user.name`,
+        `user.domain`, and `user.type` fields will be omitted from the event.
+        If you discover Winlogbeat not resolving SIDs, review the log for
+        clues as to what the problem may be.
+
     - name: user.name
       type: string
       required: false

diff --git a/winlogbeat/eventlog/eventlog.go b/winlogbeat/eventlog/eventlog.go
@@ -66,27 +66,27 @@ func (r Record) String() string {
 // ToMapStr returns a new MapStr containing the data from this Record.
 func (r Record) ToMapStr() common.MapStr {
 	m := common.MapStr{
-		"@timestamp":   common.Time(r.TimeGenerated),
-		"eventLogName": r.EventLogName,
-		"sourceName":   r.SourceName,
-		"computerName": r.ComputerName,
+		"@timestamp":    common.Time(r.TimeGenerated),
+		"log_name":      r.EventLogName,
+		"source_name":   r.SourceName,
+		"computer_name": r.ComputerName,
 		// Use a string to represent this uint64 data because its value can
 		// be outside the range represented by a Java long.
-		"recordNumber": strconv.FormatUint(r.RecordNumber, 10),
-		"eventID":      r.EventID,
-		"level":        r.Level,
-		"type":         r.API,
+		"record_number": strconv.FormatUint(r.RecordNumber, 10),
+		"event_id":      r.EventID,
+		"level":         r.Level,
+		"type":          r.API,
 	}
 
 	if r.Message != "" {
 		m["message"] = r.Message
 	} else {
 		if len(r.MessageInserts) > 0 {
-			m["messageInserts"] = r.MessageInserts
+			m["message_inserts"] = r.MessageInserts
 		}
 
 		if r.MessageErr != nil {
-			m["messageError"] = r.MessageErr.Error()
+			m["message_error"] = r.MessageErr.Error()
 		}
 	}
 

diff --git a/winlogbeat/tests/system/test_eventlog.py b/winlogbeat/tests/system/test_eventlog.py
@@ -93,11 +93,11 @@ def read_one_event(self, api):
         assert len(events) == 1
         evt = events[0]
         assert evt["type"] == api
-        assert evt["eventID"] == eventID
+        assert evt["event_id"] == eventID
         assert evt["level"] == "Information"
-        assert evt["eventLogName"] == self.providerName
-        assert evt["sourceName"] == self.applicationName
-        assert evt["computerName"].lower() == win32api.GetComputerName().lower()
+        assert evt["log_name"] == self.providerName
+        assert evt["source_name"] == self.applicationName
+        assert evt["computer_name"].lower() == win32api.GetComputerName().lower()
         assert evt["user.identifier"] == self.get_sid_string()
         assert evt["user.name"] == win32api.GetUserName()
         assert "user.type" in evt
@@ -116,8 +116,8 @@ def test_eventlogging_read_unknown_event_id(self):
         """
         evt = self.read_unknown_event_id("eventlogging")
 
-        assert "messageInserts" in evt
-        assert evt["messageError"].lower() == ("The system cannot find "
+        assert "message_inserts" in evt
+        assert evt["message_error"].lower() == ("The system cannot find "
             "message text for message number 1111 in the message file for "
             "C:\\Windows\\system32\\EventCreate.exe.").lower()
 
@@ -130,7 +130,7 @@ def test_wineventlog_read_unknown_event_id(self):
 
         # TODO: messageInserts has not been implemented for wineventlog.
         # assert "messageInserts" in evt
-        assert evt["messageError"] == ("the message resource is present but "
+        assert evt["message_error"] == ("the message resource is present but "
             "the message is not found in the string/message table")
 
     def read_unknown_event_id(self, api):
@@ -153,11 +153,11 @@ def read_unknown_event_id(self, api):
         assert len(events) == 1
         evt = events[0]
         assert evt["type"] == api
-        assert evt["eventID"] == eventID
+        assert evt["event_id"] == eventID
         assert evt["level"] == "Information"
-        assert evt["eventLogName"] == self.providerName
-        assert evt["sourceName"] == self.applicationName
-        assert evt["computerName"].lower() == win32api.GetComputerName().lower()
+        assert evt["log_name"] == self.providerName
+        assert evt["source_name"] == self.applicationName
+        assert evt["computer_name"].lower() == win32api.GetComputerName().lower()
         assert evt["user.identifier"] == self.get_sid_string()
         assert evt["user.name"] == win32api.GetUserName()
         assert "user.type" in evt
@@ -207,11 +207,11 @@ def read_unknown_sid(self, api):
         assert len(events) == 1
         evt = events[0]
         assert evt["type"] == api
-        assert evt["eventID"] == eventID
+        assert evt["event_id"] == eventID
         assert evt["level"] == "Information"
-        assert evt["eventLogName"] == self.providerName
-        assert evt["sourceName"] == self.applicationName
-        assert evt["computerName"].lower() == win32api.GetComputerName().lower()
+        assert evt["log_name"] == self.providerName
+        assert evt["source_name"] == self.applicationName
+        assert evt["computer_name"].lower() == win32api.GetComputerName().lower()
         assert evt["user.identifier"] == accountIdentifier
         assert "user.name" not in evt
         assert "user.type" not in evt