Add back in user.effective.* fields to auditd integrations due to no …

…longer using experimental schema
elastic · Jan 26, 2021 · 8c8012f · 8c8012f
1 parent 0879f85
commit 8c8012f
Show file tree

Hide file tree

Showing 6 changed files with 140 additions and 2 deletions.
diff --git a/auditbeat/_meta/fields.common.yml b/auditbeat/_meta/fields.common.yml
@@ -66,6 +66,27 @@
         type: keyword
         description: Audit user name.
 
+    - name: effective
+      type: group
+      description: Effective user information.
+      fields:
+      - name: id
+        type: keyword
+        description: Effective user ID.
+      - name: name
+        type: keyword
+        description: Effective user name.
+      - name: group
+        type: group
+        description: Effective group information.
+        fields:
+        - name: id
+          type: keyword
+          description: Effective group ID.
+        - name: name
+          type: keyword
+          description: Effective group name.
+
     - name: filesystem
       type: group
       description: Filesystem user information.

diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
@@ -2722,6 +2722,54 @@ type: keyword
 
 --
 
+[float]
+=== effective
+
+Effective user information.
+
+
+*`user.effective.id`*::
++
+--
+Effective user ID.
+
+type: keyword
+
+--
+
+*`user.effective.name`*::
++
+--
+Effective user name.
+
+type: keyword
+
+--
+
+[float]
+=== group
+
+Effective group information.
+
+
+*`user.effective.group.id`*::
++
+--
+Effective group ID.
+
+type: keyword
+
+--
+
+*`user.effective.group.name`*::
++
+--
+Effective group name.
+
+type: keyword
+
+--
+
 [float]
 === filesystem
 

diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -523,6 +523,54 @@ type: keyword
 Name of the group.
 
 
+type: keyword
+
+--
+
+[float]
+=== effective
+
+Effective user information.
+
+
+*`user.effective.id`*::
++
+--
+Effective user ID.
+
+type: keyword
+
+--
+
+*`user.effective.name`*::
++
+--
+Effective user name.
+
+type: keyword
+
+--
+
+[float]
+=== group
+
+Effective group information.
+
+
+*`user.effective.group.id`*::
++
+--
+Effective group ID.
+
+type: keyword
+
+--
+
+*`user.effective.group.name`*::
++
+--
+Effective group name.
+
 type: keyword
 
 --

diff --git a/filebeat/module/auditd/_meta/fields.yml b/filebeat/module/auditd/_meta/fields.yml
@@ -36,6 +36,27 @@
               description: >
                     Name of the group.
 
+        - name: effective
+          type: group
+          description: Effective user information.
+          fields:
+          - name: id
+            type: keyword
+            description: Effective user ID.
+          - name: name
+            type: keyword
+            description: Effective user name.
+          - name: group
+            type: group
+            description: Effective group information.
+            fields:
+            - name: id
+              type: keyword
+              description: Effective group ID.
+            - name: name
+              type: keyword
+              description: Effective group name.
+
         - name: filesystem
           type: group
           fields:

diff --git a/filebeat/module/auditd/fields.go b/filebeat/module/auditd/fields.go