[Auditbeat] Add message field to system module #9483
Conversation
|
Pinging @elastic/secops |
cwurm
force-pushed
the
message_everywhere_squashed
branch
from
f8b2403 to
df08708
Compare
| var actionString string | ||
| switch action { | ||
| case eventActionExistingUser: | ||
| actionString = "Existing" |
There was a problem hiding this comment.
These could have been a method on the eventAction type, like Render() or something like that. Just an idea.
There was a problem hiding this comment.
I agree in general. In this case I prefer this since the value is only ever used right after being filled. A method would separate this flow, and probably to different parts of the file.
| return message | ||
| } | ||
|
|
||
| func fmtDuration(d time.Duration) string { |
There was a problem hiding this comment.
Functions like this should get some unit tests. Fine with adding them later in this case, but normally we'd expect them with the PR.
|
Some unit tests should be added at least for:
|
There was a problem hiding this comment.
LGTM overall.
Two things I'd like to bring up:
- Can you use "LISTENING" instead of "OPEN", for socket message? Seems more in line with the system terminology
- Is it possible to report previous and new host ID, when it changes?
This makes me realize that integration tests will be a challenge. The current state of having many values change around because it's a different run of the VM will make it hard to spot legit differences that are expected or that should be investigated.
Perhaps we could separate the tests in two. Test how the data/events are acquired and do high level checks on them (field names, regexes on values), then have unit tests that start from static states, and ensure they are processed correctly, with very precise diffs like we have right now. This kind of assumes we can split these tests via an intermediate state, however...
But that's for later. Only my two bullet points above need discussion. I'm good if we move forward despite my points, however.
cwurm
force-pushed
the
message_everywhere_squashed
branch
from
31aaa3d to
48d5ac7
Compare
This adds a top-level `message` field to the `host`, `process`, `socket`, and `user` metricsets.
This adds a top-level
messagefield to thehost,process,socket, andusermetricsets.Some example messages:
Ubuntu host ubuntu-bionic (IP: 10.0.2.15) is up for 0 days, 5 hours, 11 minutesProcess zsh (PID: 2363) is RUNNINGInbound socket (10.0.2.2:52002 -> 10.0.2.15:22) OPEN by process sshd (PID: 2293) and user root (UID: 0)Existing user elastic (UID: 1002, Groups: elastic,docker)