Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate Winlogbeat to ECS, take 2 #10333

Merged
merged 27 commits into from
Feb 5, 2019
Merged

Migrate Winlogbeat to ECS, take 2 #10333

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
b45d1c1
Migrate Winlogbeat to ECS
ruflin Jan 18, 2019
4337c0a
Incorporate some of the PR feedback so far, introduce one new suggestion
Jan 24, 2019
eaa3b85
A few more suggested tweaks
Jan 30, 2019
85b422b
A lost Rubyist tries dig into event_data
Jan 30, 2019
48ca9f8
Radical update:
Feb 1, 2019
1a0444f
Update my comment for a few other things we can grab
Feb 1, 2019
0f322b6
This should be roughly the final shape of the event. Next: aliases.
Feb 1, 2019
cc7e4d5
go fmt yourself
Feb 1, 2019
2b1fd37
Small field name adjustments, improving consistency
Feb 1, 2019
97db465
Add all the aliases we can
Feb 1, 2019
8f79d97
Reorder field defs for easier diffing
Feb 1, 2019
2103a8a
Move nest message_error, not actually sure it maps to ECS
Feb 1, 2019
a675128
Adjust the tests to the new field names
Feb 1, 2019
77dc2d4
Minor improvements
Feb 1, 2019
3351e81
Remove debugging statement, remove host.hostname and dataset from events
Feb 4, 2019
8bbebdd
Make sur all fields defined in same order, for diffing purposes
Feb 4, 2019
1e37c2e
Remove field defs used for debugging
Feb 4, 2019
8d311f1
Changelog
Feb 4, 2019
b917cbb
Improve how event.code and event.original are defined in fields.yml
Feb 4, 2019
7ca07a8
Document all field migrations in ecs-migration.yml
Feb 4, 2019
bf2a668
Modify documentation to match field names now emitted by Winlogbeat
Feb 4, 2019
8125638
Space. The final frontier.
Feb 4, 2019
798b0f8
Set overwrite:true on the re-definition of event.original.
Feb 4, 2019
0e5b0b9
Migrate message_error to error.message. Populate error.code (new)
Feb 5, 2019
58c08c5
Update dashboard to the new field names
Feb 5, 2019
0c397a6
Adjust text labels on dashboard to better match the new field names
Feb 5, 2019
7d26f79
Fix entry in ecs-mig.yml
Feb 5, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

*Winlogbeat*

- Adjust Winlogbeat fields to map to ECS. {pull}10333[10333]

*Functionbeat*

- Correctly normalize Cloudformation resource name. {issue}10087[10087]
Expand Down
115 changes: 115 additions & 0 deletions dev-tools/ecs-migration.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2032,3 +2032,118 @@
to: event.created
alias: true
beat: journalbeat

## Winlogbeat

# Alias to ECS fields

- from: xml
to: event.original
alias: true
beat: winlogbeat

- from: level
to: log.level
alias: true
beat: winlogbeat

# Move fields to winlog.* section, to reduce chances of top level field name conflicts.

# renames to match Windows Event Log naming

- from: type
to: winlog.api
alias: true
beat: winlogbeat

- from: log_name
to: winlog.channel
alias: true
beat: winlogbeat

- from: record_number
to: winlog.record_id
alias: true
beat: winlogbeat

- from: process_id
to: winlog.process.pid
alias: true
beat: winlogbeat

- from: source_name
to: winlog.provider_name
alias: true
beat: winlogbeat

- from: thread_id
to: winlog.process.thread.id
alias: true
beat: winlogbeat

# Fields moved without adjusting the name

- from: activity_id
to: winlog.activity_id
alias: true
beat: winlogbeat

- from: computer_name
to: winlog.computer_name
alias: true
beat: winlogbeat

- from: event_id
to: winlog.event_id
alias: true
beat: winlogbeat

- from: keywords
to: winlog.keywords
alias: true
beat: winlogbeat

- from: message_error
to: error.message
alias: true
beat: winlogbeat

- from: related_activity_id
to: winlog.related_activity_id
alias: true
beat: winlogbeat

- from: opcode
to: winlog.opcode
alias: true
beat: winlogbeat

- from: provider_guid
to: winlog.provider_guid
alias: true
beat: winlogbeat

- from: task
to: winlog.task
alias: true
beat: winlogbeat

- from: user.identifier
to: winlog.user.identifier
alias: true
beat: winlogbeat

- from: user.domain
to: winlog.user.domain
alias: true
beat: winlogbeat

- from: user.type
to: winlog.user.type
alias: true
beat: winlogbeat

- from: version
to: winlog.version
alias: true
beat: winlogbeat
Loading