Skip to content

Test packages mappings - DO NOT MERGE #12300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 53 commits into from
Closed

Test packages mappings - DO NOT MERGE #12300

Changes from 1 commit
Commits
Show all changes
53 commits
Select commit Hold shift + click to select a range
90eb406
Test elastic-package from PR 2285 - 9fb80b4570ee4fdb85deca5ceaa24aa4e…
Dec 19, 2024
0bdbe2f
Test validation based on mappings
mrodm Dec 19, 2024
f0c0f78
Test elastic-package from PR 2285 - 2ad28ac1c76f72209c7797fc6da838594…
Dec 19, 2024
009101f
Test elastic-package from PR 2285 - a718796431faedeefe457e525de4ae5f4…
Jan 8, 2025
5e8abed
Test elastic-package from PR 2285 - 9ff3d0cf145ed8cd6c4563519d7bde7cf…
Jan 8, 2025
e5ceadd
Test elastic-package from PR 2285 - ebda8599dab64514208de7aab38ef45fd…
Jan 8, 2025
f100e53
Test elastic-package from PR 2285 - 8f36c189acbd6ff0328b2154aec9168f9…
Jan 9, 2025
6d7b2de
Test subset packages
mrodm Jan 9, 2025
b64079c
Test elastic-package from PR 2285 - dbca4feac02cb94243a6bbb0eb8bbd888…
Jan 9, 2025
0b451eb
Revert "Test subset packages"
mrodm Jan 9, 2025
704fabc
Test subset packages
mrodm Jan 10, 2025
6876013
Test with 8.18.0-SNAPSHOT
mrodm Jan 10, 2025
bae2b3f
First batch of workarounds - to be confirmed
mrodm Jan 14, 2025
ad9e39f
Remove asterisk from flattened types - to be confirmed
mrodm Jan 14, 2025
ca101bc
Update subset packages to test
mrodm Jan 14, 2025
8ecbe7a
Update docs
mrodm Jan 14, 2025
1868ddd
update docs box_events
mrodm Jan 14, 2025
b1ffc45
Test elastic-package from PR 2285 - 8fce0ec8
mrodm Jan 14, 2025
4b72d15
Re-generate sample_event.json
mrodm Jan 14, 2025
afbee35
Upate README auditd_manager
mrodm Jan 15, 2025
c6dfe63
Test elastic-package from PR 2347 - 460b42027261
mrodm Jan 22, 2025
2240a37
Update sync.time.field transform setting
mrodm Jan 23, 2025
c8d7b44
Move all github.* field definitions to the same group field
mrodm Jan 23, 2025
3274e5e
Revert "Move all github.* field definitions to the same group field"
mrodm Jan 23, 2025
1a0faa6
Add missing field to ti_custom
mrodm Jan 24, 2025
d2505f4
Add external ecs for ecs message field in github.code_scanning
mrodm Jan 24, 2025
62cc835
Add related.ip into tychon transforms
mrodm Jan 24, 2025
25000b1
Added missing definitions in wiz transforms
mrodm Jan 24, 2025
07c164f
Test elastic-package from PR 2347 - aff903b7
mrodm Jan 24, 2025
7f949b7
Test with more packages
mrodm Jan 24, 2025
e3001b1
Update missing fields in tychon
mrodm Jan 24, 2025
d2ca1e1
Test elastic-package from PR 2347 - a65efc3156a0
mrodm Jan 27, 2025
38c73da
Add override parameter to some processors - teleport
mrodm Jan 27, 2025
1813e3a
Report pipeline failures - to be removed
mrodm Jan 27, 2025
a2d7589
Add workarounds for teleport fields
mrodm Jan 27, 2025
9e16301
Test elastic-package from PR 2347 - afac6f361e37
mrodm Jan 27, 2025
92287ae
Remove asterisk from flattened field definition - mongodb_atlas
mrodm Jan 28, 2025
4b918af
Update event-groups ingest pipeline - teleport
mrodm Jan 28, 2025
9aa2359
Remove another asterisk from flattened field definition - mongodb_atlas
mrodm Jan 28, 2025
bea474f
Update Readme mongodb_atlas
mrodm Jan 28, 2025
8546f23
Add thread_local_cluster_manager field defs - envoyproxy.stats
mrodm Jan 29, 2025
cb8069a
Update envoyproxy docs
mrodm Jan 29, 2025
cb15bb8
Update mongodb_atlas - keep just flattened
mrodm Jan 29, 2025
693abde
Reverted changes in test configuration - envoyproxy
mrodm Jan 29, 2025
2ca62a8
Test updating dynamic template - sublime_security.email_message
mrodm Jan 29, 2025
542f0a1
Test elastic-package from PR 2347 - 1d539eef6799
mrodm Jan 29, 2025
70dde4a
Add another option tgo sublime_security.email_message
mrodm Jan 29, 2025
98b98f9
Add comment into transform settings - ti_anomali
mrodm Jan 29, 2025
280e2e6
Remove field definition - auditd_manager
mrodm Jan 30, 2025
0d86a54
Test elastic-package from PR 2381 - a82e4e12 include fields validation
mrodm Feb 5, 2025
dd4535c
Update logstash owner in manifest
mrodm Feb 5, 2025
3739ab5
Merge upstream/main into test-packages-mappings
mrodm Feb 25, 2025
88f838a
Test elastic-package from PR 2381 - b0e11ddc include fields validation
mrodm Feb 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Re-generate sample_event.json 
Re-generate sample_event file since there were errors related to a
field missing the expected type (auditd.data.audit_pid). This was not
failing previously probably because "auditd.data" was declared as
flattened, and that is skipped in validation.
  • Loading branch information
@mrodm
mrodm committed Feb 6, 2025
commit 4b72d15e9f00f380354afb725bde61e9a11678a8
78 changes: 50 additions & 28 deletions packages/auditd_manager/data_stream/auditd/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,22 @@
{
"@timestamp": "2022-05-12T13:10:13.230Z",
"@timestamp": "2025-01-14T18:00:56.117Z",
"agent": {
"ephemeral_id": "cfe4170e-f9b4-435f-b19c-a0e75b573b3a",
"id": "753ce520-4f32-45b1-9212-c4dcc9d575a1",
"name": "custom-agent",
"ephemeral_id": "df24f825-df17-4f54-b3c4-3048edbdf123",
"id": "da084743-3b4d-43eb-a6c9-f26c44204375",
"name": "elastic-agent-90019",
"type": "auditbeat",
"version": "8.2.0"
"version": "8.16.0"
},
"auditd": {
"data": {
"a0": "a",
"a1": "c00024e8c0",
"a2": "38",
"a0": "10",
"a1": "c001144140",
"a2": "3c",
"a3": "0",
"arch": "x86_64",
"audit_pid": "22501",
"audit_pid": 2532842,
"auid": "unset",
"exit": "56",
"exit": "60",
"old": "0",
"op": "set",
"result": "success",
Expand All @@ -25,23 +25,24 @@
"family": "netlink",
"saddr": "100000000000000000000000"
},
"subj_user": "docker-default",
"syscall": "sendto",
"tty": "(none)"
},
"message_type": "config_change",
"messages": [
"type=CONFIG_CHANGE msg=audit(1652361013.230:94471): op=set audit_pid=22501 old=0 auid=4294967295 ses=4294967295 res=1",
"type=SYSCALL msg=audit(1652361013.230:94471): arch=c000003e syscall=44 success=yes exit=56 a0=a a1=c00024e8c0 a2=38 a3=0 items=0 ppid=9509 pid=22501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"auditbeat\" exe=\"/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat\" key=(null)",
"type=SOCKADDR msg=audit(1652361013.230:94471): saddr=100000000000000000000000",
"type=PROCTITLE msg=audit(1652361013.230:94471): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D6239613238612F696E7374616C6C2F6175646974626561742D382E322E302D6C696E75782D7838365F36342F617564697462656174002D63006175646974626561742E656C61737469632D6167656E742E796D6C"
"type=CONFIG_CHANGE msg=audit(1736877656.117:1197107): op=set audit_pid=2532842 old=0 auid=4294967295 ses=4294967295 subj=docker-default res=1",
"type=SYSCALL msg=audit(1736877656.117:1197107): arch=c000003e syscall=44 success=yes exit=60 a0=10 a1=c001144140 a2=3c a3=0 items=0 ppid=2531521 pid=2532842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"agentbeat\" exe=\"/usr/share/elastic-agent/data/elastic-agent-3f07f2/components/agentbeat\" subj=docker-default key=(null)",
"type=SOCKADDR msg=audit(1736877656.117:1197107): saddr=100000000000000000000000",
"type=PROCTITLE msg=audit(1736877656.117:1197107): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D3366303766322F636F6D706F6E656E74732F6167656E746265617400617564697462656174002D450073657475702E696C6D2E656E61626C65643D66616C7365002D450073657475702E74656D706C6174652E65"
],
"result": "success",
"summary": {
"actor": {
"primary": "unset",
"secondary": "root"
},
"how": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat",
"how": "/usr/share/elastic-agent/data/elastic-agent-3f07f2/components/agentbeat",
"object": {
"primary": "set",
"type": "audit-config"
Expand All @@ -63,21 +64,24 @@
},
"id": "0",
"name": "root"
},
"selinux": {
"user": "docker-default"
}
}
},
"data_stream": {
"dataset": "auditd_manager.auditd",
"namespace": "ep",
"namespace": "73800",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "753ce520-4f32-45b1-9212-c4dcc9d575a1",
"id": "da084743-3b4d-43eb-a6c9-f26c44204375",
"snapshot": false,
"version": "8.2.0"
"version": "8.16.0"
},
"event": {
"action": "changed-audit-configuration",
Expand All @@ -88,32 +92,50 @@
"network"
],
"dataset": "auditd_manager.auditd",
"ingested": "2022-05-12T13:10:16Z",
"ingested": "2025-01-14T18:00:59Z",
"kind": "event",
"module": "auditd",
"original": "type=CONFIG_CHANGE msg=audit(1652361013.230:94471): op=set audit_pid=22501 old=0 auid=4294967295 ses=4294967295 res=1\ntype=SYSCALL msg=audit(1652361013.230:94471): arch=c000003e syscall=44 success=yes exit=56 a0=a a1=c00024e8c0 a2=38 a3=0 items=0 ppid=9509 pid=22501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"auditbeat\" exe=\"/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat\" key=(null)\ntype=SOCKADDR msg=audit(1652361013.230:94471): saddr=100000000000000000000000\ntype=PROCTITLE msg=audit(1652361013.230:94471): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D6239613238612F696E7374616C6C2F6175646974626561742D382E322E302D6C696E75782D7838365F36342F617564697462656174002D63006175646974626561742E656C61737469632D6167656E742E796D6C",
"original": "type=CONFIG_CHANGE msg=audit(1736877656.117:1197107): op=set audit_pid=2532842 old=0 auid=4294967295 ses=4294967295 subj=docker-default res=1\ntype=SYSCALL msg=audit(1736877656.117:1197107): arch=c000003e syscall=44 success=yes exit=60 a0=10 a1=c001144140 a2=3c a3=0 items=0 ppid=2531521 pid=2532842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"agentbeat\" exe=\"/usr/share/elastic-agent/data/elastic-agent-3f07f2/components/agentbeat\" subj=docker-default key=(null)\ntype=SOCKADDR msg=audit(1736877656.117:1197107): saddr=100000000000000000000000\ntype=PROCTITLE msg=audit(1736877656.117:1197107): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D3366303766322F636F6D706F6E656E74732F6167656E746265617400617564697462656174002D450073657475702E696C6D2E656E61626C65643D66616C7365002D450073657475702E74656D706C6174652E65",
"outcome": "success",
"sequence": 94471,
"sequence": 1197107,
"type": [
"change",
"connection",
"info"
]
},
"host": {
"name": "custom-agent"
"architecture": "x86_64",
"containerized": false,
"hostname": "elastic-agent-90019",
"ip": [
"192.168.176.2",
"192.168.144.5"
],
"mac": [
"02-42-C0-A8-90-05",
"02-42-C0-A8-B0-02"
],
"name": "elastic-agent-90019",
"os": {
"kernel": "6.8.0-51-generic",
"name": "Wolfi",
"platform": "wolfi",
"type": "linux",
"version": "20230201"
}
},
"network": {
"direction": "egress"
},
"process": {
"executable": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat",
"name": "auditbeat",
"executable": "/usr/share/elastic-agent/data/elastic-agent-3f07f2/components/agentbeat",
"name": "agentbeat",
"parent": {
"pid": 9509
"pid": 2531521
},
"pid": 22501,
"title": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat -c auditbeat.elastic-agent.yml"
"pid": 2532842,
"title": "/usr/share/elastic-agent/data/elastic-agent-3f07f2/components/agentbeat auditbeat -E setup.ilm.enabled=false -E setup.template.e"
},
"service": {
"type": "auditd"
Expand All @@ -130,4 +152,4 @@
"id": "0",
"name": "root"
}
}
}