Use ECS event.type: end (elastic#159)

renini · web-flow · commit 33356aad182c · 2024-11-04T14:31:19.000-05:00
The 'event.type: stop' value is not ECS compliant. 'event.type: end' the correct value.

In aucolesce, change the event.type for: SERVICE_STOP, DAEMON_ABORT, DAEMON_END
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 - Fix panic in `parseSockaddr` for malformed socket address. [#152](https://github.com/elastic/go-libaudit/pull/152)
 - Set `SOCK_CLOEXEC` when creating the netlink socket to avoid leaking file descriptors. [#165](https://github.com/elastic/go-libaudit/pull/165)
 - Update syscall tables. [#167](https://github.com/elastic/go-libaudit/pull/167)
+- aucoalesce: Use ECS `event.type: end` instead of `stop` for SERVICE_STOP, DAEMON_ABORT, and DAEMON_END messages. [#159](https://github.com/elastic/go-libaudit/pull/159)
 
 ### Removed
 
diff --git a/aucoalesce/normalizations.yaml b/aucoalesce/normalizations.yaml
@@ -1230,7 +1230,7 @@ normalizations:
       what: service
     ecs:
       <<: *ecs-process
-      type: stop
+      type: end
 
   # Auditd internal events
 
@@ -1251,7 +1251,7 @@ normalizations:
       what: service
     ecs:
       <<: *ecs-process
-      type: stop
+      type: end
   # AUDIT_DAEMON_ACCEPT - Auditd accepted remote connection
   - record_types: DAEMON_ACCEPT
     action: remote-audit-connected
@@ -1287,7 +1287,7 @@ normalizations:
       what: service
     ecs:
       <<: *ecs-process
-      type: stop
+      type: end
   # AUDIT_DAEMON_ERR - Auditd internal error
   - record_types: DAEMON_ERR
     action: audit-error
