diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 0e3c87698aaa..e717f5d6b0c5 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -58,6 +58,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff] - Fix splitting array of strings/arrays in httpjson input {issue}30345[30345] {pull}33609[33609] - Fix Google workspace pagination and document ID generation. {pull}33666[33666] - Fix PANW handling of messages with event.original already set. {issue}33829[33829] {pull}33830[33830] +- Rename identity as identity_name when the value is a string in Azure Platform Logs. {pull}33654[33654] *Heartbeat* - Fix broken zip URL monitors. NOTE: Zip URL Monitors will be removed in version 8.7 and replaced with project monitors. {pull}33723[33723] diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 51a6eb4ee115..9c266c021ae0 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -3001,6 +3001,16 @@ type: keyword ActivityId +type: keyword + +-- + +*`azure.platformlogs.identity_name`*:: ++ +-- +Identity name + + type: keyword -- diff --git a/x-pack/filebeat/module/azure/fields.go b/x-pack/filebeat/module/azure/fields.go index 2b825bd87e67..b677bb85c69a 100644 --- a/x-pack/filebeat/module/azure/fields.go +++ b/x-pack/filebeat/module/azure/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAzure returns asset data. // This is the base64 encoded zlib format compressed contents of module/azure. func AssetAzure() string { - return "eJzsXF1v2zrSvu+vGPS9efcgTYC9zMUC3rTdDXDaBo27twIjjWVuKFKHpJx1sT9+QVJflkhJjiVlF6iv2tie5+GQM5wv+QM84/EWyM9C4jsATTXDW3i/Mf9//w5AIkOi8BZS8g4gQRVLmmsq+C385R0AgP0kfBFJwYyAHUWWqFv71gfgJMNGuHnpY26ESVHk5V88Mk/FtEWp4qn+dEST+v1K8DMeX4Rs/90r3r0c9bZIuP/Yg4yFlMjILIh3jSwflEZOuL4YxYnxAUhUopAx9uS3N2RE+ve+jO5utSFPFjO0oBHYNnR7aW2s7irmguvLrRBzKQ40QbkAqJFxY1BUTk603aD7310Vfj7kr11ptfso9F5I+tOZoHR+ZibQTVs2nMiu4WNND1QfmUjVqN2cussJJD5b04GdkKU7quDA4F1PNjLkmupjdMmWVEL6+9qF8SL4jG9E+/d+eb6VtmnEjNBMRZRTTYnGJHo6RoXqGeEwtQn0zOvOYkGNBU9HCGCFaMOwyZxS9e/TGYTBZ0pdGik9IF+Hy98GoZp7Xa5D53EAqCKzKxhbh83nIaRaN/EeM7KCavw4p1Z3/VvQysTTPzHWnrfdG9EY1dbHoozkOeVp+Z33v72/xHqDSzq5WZbwHpsRgCkuQ8UiX8MwgjDti9C7ipmZbMI4FRU0QRfvxT2nZEL7dgaVT8M4Q9vXpisFw4goRVOeIdfR0JbCRGWesQrz+i4YQkNh8FR1iCe4s9dfN/9Zi3WD3437Q5TXJ3n2EXgTTbb2f4Imc0l5THPCVif7UCGfR9MweSuiPeyhnH6MzQiDbS+/bwMyPCDzgjHB0/OQfu/JqlBEjtIlZAeUqu+vL1jet0o0+ET3CcybhjbowTRIoiqY9h23yxLvgunwOSpBjQET3dTT5kP2S66jP6IxFdKf+r0K9s4nsbngjZOcH/STkTsMnUtztDTFbtzoYHeMaI0czwR+6EttotCE6rWqCwbrrNLC/Huw3WMtFcQO9B4ba74GuCukRK7Z8Qo2li5V7jOcHUEVeS6kScQPhBV4vapv2LaZhv3Dgr7xlMGQfxys1bwK21utebNr7o394YiXeEUxzGxtbZ5h+WPFMaeXYDIbDn8mhD2/izQkv1stjRKqcka8FcmZ2GyqSmkJ5S+udc6LRKIGcv2LCH23sq23Nf6KjWsr2FuakVWg59SlwkSaulKqQnmg3px3niOUuipqCKbvRQNx/QxsmmDPixHsYc0EP7AdjR0RjZoO2JD5wIUGZOQrTbJ+tWQkCphJD0Hp9e1CZIrGeF1zaqgKGar6LFBd3FpWdVO1X2ecVuAb8ZQwb3Xt45CzhLFDPzOZQHpfb3s4oZ+RxDaEUmsij0iSSFS+HZ6ZDNAcNgNgFadCoYya0sc6Z+eHQtnUW8aPUCYSuqOYRE0047VcmFSzndhGgFcY+xk6+FKuKRyhVa+p1WGOL5FNZsKHYona1Vd8gWHYMxzUQhwrZzWNp2DJWyjyG0sCBGsH0upUn31xTYkj+E7IrJxhwJTIhPLUxqAlsnhtv5rkIWucrceyCUJMNaAykqyLscH2d5v5rEfg0TGY4huhb1jr8x0NAuD0DNyv3ADY5PmU0n9349em2d/2kYAmMDkCc9rTjzDGVIMyNN/QmqaGGfA/Z0prN9Im2BDNh8LNxZh5wtwp/6jLb4xoc+etVDav4M6qnP/qUM2M/KtDVV57mujCX3d+FeRjX16t1Dj/Ov+QcVBqBXvHRDFjJ6EvrgL6xA9UCjsSMeMWBoTWoGaLtzTDRy1pryV/6dkJCK5VSxibc17dI6+CeowJwx+czqhav8gKsCpo9uLASybE/TKX7RY7J0A5t4FQsHNsHCLlK92BBuwD5W9wBf67p5+1G7FjDIYasRd3Rj3gq3RG+7iT7uESviVqdgIh2TOGP0HsYPhzacO9jzjYcL808ujDXTIV48tb/w8eEWGvda5ub24SEavrjMZSKLHT17HIbpB/IMVNKkm+vyE5vakbKTfOsXXkjXW+L+/S9XViXj84/aNAuP8IEnOJymxKWV6rfGLVrbsOkosl2gIgCbfmpzTy/Aw/Eo1AeGIbefD/P7Z3fzqh90JaT7CEOdqewpx9+4A+TXo/qWc/b3vcz2Zie3xav2Uu7YwUP05ILXbsDZGhDnWeL4YdqP+1oZc/p4bEpGNKCi24yEShInVUGrOIF9nTwPNonkHcHqdNLRScUHBCB1wMoyYlNcopVC/inEkpdxbE7AB4QRrT5Ymd2ScsInGMSkXetHUuWg0cODh/ltyKDSVNqWEn8Y8CVWAifwZq30ogKIGGDjZVEeUapb1Pwsf6SQiGxDfFNIHPvbkLwhh12CqekUdUqQLlgka2NTDgYIat7ITQHCNBEwgNTgXlUpiDZnvLNMPI86BZkwYK78U/gc9DjeJud8oho4xRhcbEwudbUvUcJagJ7T4MMJOivlP1DAGAExL2gYSIpKnE1AQgC9KxUDAA5SGWFNJsoTfknJ+bQ7OR2X0f7YSecWALHXJLyC+/+1MRK1y09W8OTLptR66RUAdtSrcbpRQyikUyPEsTuL4nrta8Phkg8ALVDS08UKP9YQu+ZLUlwnxzXuH1frRQY93Rsp5ijNFGPMvz+lYhwgBiRe9Jipex/u0srP46ALTk0ODA/k0dGtSyUN7CywKktgYrPCPYiqlikeWMkl6N/5RUOKo6g9S9e57F2RZQBcPYLZIZ4ST13o5LUwwht9ItRjGJPDF9LhiN/SNwjjGRkvhmnqbkX8Co0iB27WSiiu4rYNB7ooFIBC1pmqJ0w+VmgbZ6oHLz3fLGnVaqIYXeI9c0doUH54EXWeF2j2WtsnoO6hQbiNaY5drWdkhS66CkBIL7vpSh3ouBMk9nfa0wdmypoW7G1A1tVtCh3HCo1nYFqoj3QNyjXyQ1Saehb+LfmCg0CnvYbm4e/v4IQtpJHJQ3OyKz3sd2mBgvj0kH9RwNaRGLheLoTU8VFsyKDlOkPBaZTT1sWrRcPnRfArn8a4RVYUulJSdXEN/RgULIRGZlBdYxaMTWT9qUmfXkDTWfpxI9Xd+ZlLbdUwV7wRJ3fPc03ZvM36UAYtc9/hwxwQT0Xooi3QNh7KR8qzTm6squtvqTFsY+Yhwq54YXPe62L7T0R7Qe7W7T9dN5zo6GvDYKKhdzBUicqd9tbt0XXKRxZfzejZDw5fPmFh5QfvDOz9U/28OIfYRpJ2Qk8UDx5ewCSiVqLzKMQo07GD0jzWS3fhHyOWJizrvE3BqlZKgk11cC5TEr6vFfI9VsRPXxQhkvyBOgWlmOKnx86gTw8sKYYdwy2/Kuk/VPzZmjYf5itteeCkzAHvIJ7C7fJZtsu3Ee84WFKpRGB1U8YxDdAJGVrIAoJWL3+2IvVO/b1n8ND0Ip+sTQDZkr42UZfUZ23EpyQGasRPBjRn9icv9QDtVdQUaM4YlCtf5W8B3JKKNEfkbbwHWfeyES7/kOY30iQRUq74lgSJ4xuZNot5OYi5ryAypNU3sQ1XYvkeh7rpExmiKP8QpS5ChpfGVu6oI/c/HCPxcG/x/9Z7iHdiY6/PnX5vy3bE45fL1KU8w+G22ykLiZ+HDOrHUpXrtr15Y+TFqTi7xgbtv2yOEoCpsnuEJfahxMYSNOwtuyR9qjrwq0wipbqunQVVjL+66ttlgKpSo3XaaNF2mR1tIkKi1pPFRTHrvplRIR/ksjV+ExoT61/wQAAP//vVjtSg==" + return "eJzsXF2P27rRvs+vGOS9eXuwWQO93IsC7iZpDZwki6zTW4ErjWV2KVKHpLx10B9fkNSXLVKS15K2BeKrZG3P83DIGc6X/AGe8XgH5Gch8R2ApprhHbxfm/+/fwcgkSFReAcpeQeQoIolzTUV/A7+8g4AwH4SvoikYEbAjiJL1J196wNwkmEj3Lz0MTfCpCjy8i8emadi2qJU8VR/OqJJ/X4l+BmPL0K2/+4V716OelskbD52IGMhJTIyCeJ9I8sHpZETrq9GcWJ8ABKVKGSMHfntDRmQ/r0r43y32pAni+lb0ABsG7q9tDbW+SqmguvKrRBzKQ40QTkDqJGxMigqJyfabtD97y4KPx3y13Nptfso9F5I+tOZoHR+ZiLQdVs2nMiu4WNND1QfmUjVoN2cussRJD5b04GdkKU7quDA4N2ONjLkmupjdM2WVEK6+3oO40XwGd+A9jd+eb6VtmnEjNBMRZRTTYnGJHo6RoXqGGE/tRH0zOveYkGNBU9HCGCFaEO/yZxS9e/TBYTBZ0rnNFJ6QL4Ml7/1QjX3ulyGzmMPUEVmVzC2DJvPfUi1buI9ZmQB1fhxTq3u9reglYmnf2KsPW+7N6Ihqq2PRRnJc8rT8jvvf3t/jfUGl3Rys8zhPdYDAGNchopFvoRhBGHaF6F3FRMzWYdxKipogi7eiXtOyYT27QIqn/px+ravTVcKhhFRiqY8Q66jvi2Fkcq8YBXm9V0whIZC76k6I57gzl5/5/nPUqwb/PO4P0R5eZIXH4E30WRr/0doMpeUxzQnbHGyDxXyZTQNk7ci2sHuy+mH2Aww2Hby+zYgwwMyLxgTPL0M6feOrApF5ChdQnZAqbr++orlfatEg090l8C0aWiDHkyDJKqCad9xuy7xLpgOn6MS1Bgw0U09bTpkv+Q6+iMaUyH9qd+rYO99EpsL3jjJ6UE/Gbn90Lk0R0tTPI8bHeyOEa2R44XAD12pTRSaUL1UdcFgXVRamH4PtnuspYLYgd5jY823APeFlMg1O97A2tKlyn2GsyOoIs+FNIn4gbACbxf1Dds207B/mNE3njLo84+9tZpXYXurNW92zb2xPxzwEq8ohpmtrc0zLH+oOOb0Ekxmw+HPiLDnd5GG5J9XS6OEqpwRb0VyIjbrqlJaQvmLa2fnRSJRPbn+VYS+W9nW2xp/xYa1FewtTcgq0HM6p8JEmrpSqkJ5oN6cd5ojlLoqagim60UDcf0EbJpgz4sR7GFNBN+zHY0dEY2a9tiQ+cCVBmTkK02ybrVkIAqYSA9B6fXtQmSKxnhdc6qvChmq+sxQXdxaVnVTtVtnHFfgG/CUMG117WOfs4ShQz8xmUB6X297OKGfkMQ2hFJrIo9IkkhUvh2emAzQHNY9YBWnQqGMmtLHMmfnh0LZ1FuGj1AmErqjmERNNOO1XBhVsx3ZRoBXGPsFOvhSrikcoVWvsdVhji+RTWbCh2KO2tVXfIF+2Asc1EwcK2c1jqdgyVso8htLAgRrB9LqVF98cY2JI/hOyKycYcCUyITy1MagJbJ4bb+a5CFrnKzHsg5CjDWgMpKsi7HB9neb+aRH4NExGOMboWtYy/MdDALg9AxsFm4ArPN8TOn/fOOXptnd9oGAJjA5AlPa048wxliDMjTf0JrGhhnwP2dKSzfSRtgQzfvCzdmYecLcMf+oy2+MaHPnLVQ2r+Auqpz/6lBNjPyrQ1Vee5rowl93fhXkY1derdQ4/zr9kHFQagV7z0QxYSehK64C+sQPVAo7EjHhFgaE1qBmi7c0w0ctaaclf+3ZCQiuVUsYm3Je3SOvgnqMCcMfnE6oWr/ICrAqaHbiwGsmxP0yJ528/ncHdTM4iz1Pm9p5H8q5jcCCLWvjiSlf6PI1YB8of4O7t7svS3eAhxj0dYCvbsl6wBdpyXZxRwUAJXxL1OQEQrInjLuC2MG469pOf9j7zBJndeGuGcfxJcz/B4+IsNc6V3erVSJidZvRWAoldvo2FtkK+QdSrFJJ8v2K5HRVd3BWzrGdyRtquV/fHuzqxLx+cPpHgbD5CBJzicpsSlnXq3xi1Sa8DZKLJdrKIwnPBIzpIPoZfiQagfDEdhDh/39s7/90Qu+FtB6dCXO0zYwpBwYC+lQoxw0LTNuX97MZ2Zcf1+iZSjsDVZcTUrMde0OkrzWe57NhBwqPbej5z6khMeqYkkILLjJRqEgdlcYs4kX21PMgnGcCuMNpXQsFJxSc0B4Xw6jJhY1yCtWJOCdSyr0FMTsAXpDGdHliHxYgLCJxjEpF3nx5KloNHDg4f3reig0lTalhJ/GPAlXgUYAJqH0rgaAE6jvYVEWUa5T2Pgkf6ychGBLf+NQIPhtzF4Qx6rBVPCOPqFIFyhmNbGtgwMH0W9kJoSlmkUYQ6h1HyqUwB802tWmGkecJtyYNFN6LfwSfhxrF3e6UQ0YZowqNiYXPt6TqOUpQE3r+FMJEivpO1TMEAE5I2CchIpKmElMTgMxIx0JBD5SHWFJIs4XekHN6bg7NRmabLtoJPePAZjrklpBf/vlvVCxw0dY/djDqth24RkKtuzFtdpRSyCgWSf8QT+D6Hrla8/pkgMALVHfS8ECN9vst+JrVlgjTDZiF1/vRQg21Zct6ijFGG/HMz+tbhQg9iBW9JylehhrHk7D6aw/QnNOKPfs3dlpRy0J5Cy8zkNoarPBwYiumikWWM0o6zYVTUuGo6gJSG/cgjbMtoAr6sVskM8JJ6r0d56YYQm6lW4xiEnli+lwwGvtn7xxjIiXxDVuNyb+AUaVB7NrJRBXdV8Cg90QDkQha0jRF6abazQJt9UDl5rvljTuuVEMKvUeuaewKD84Dz7LC7R7LWmX1ANYpNhCtMcu1re2QpNZBSQkE930pQ70XPWWes/W1wtihpYa6GWM3tFnBGeWGQ7W2G1BFvAfinjkjqUk6DX0T/8ZEoVHYw3a9evj7IwhpR4BQrnZEZp2P7TAxXh6TM9RLNKRFLGaKo9cdVVgwKzpMkfJYZDb1sGnRfPnQpgRy+dcAq8KWSktOriC+oz2FkJHMygqsY9CIrR/xKTPr0RtqPk8letrNEyltu6cK9oIl7vjuabo3mb9LAcTu/PhzxAQT0HspinQPhLGT8q3SmKsbu9rqT1oY+4ixr5wbXvSw277S0h/RerT79bmfznN2NOS1UVC5mBtA4kz9fn3nvuAijRvj91ZCwpfP6zt4QPnBO7hX/14QI/bZqZ2QkcQDxZeLCyiVqL3IMAo17mDwjDQj5fpFyOeIiSnvEnNrlJKhklxfCZTHrKjnjo1UsxHVxwtlvCBPgGplOarw8akTwOsLY4Zxy2zLu07Wv3Fnjob5i9leeyowAXvIR7C7fpdssu3miMwXZqpQGh1U8YxBdJNLVrICopSI3Q+bvVC9b1v/LTwIpegTQzfdroyXZfQZ2XEryQGZsRLBjxn9icnmoZzmu4GMGMMThWr9reA7klFGifyMtoHrPvdCJG74DmN9IkEVKu+IYEieMbmXaLeTmIua8gMqTVN7ENV2L5HoDdfIGE2Rx3gDKXKUNL4xN3XBn7l44Z8Lg/+P7sPjfTsTHf78a3P+WzannPpepClmH8o2WUjcTHw4Z9a6FG/dtWtLHyatyUVeMLdte+RwFIXNE1yhLzUOprARJ+Ft2QPt0VcFWmGVzdV0OFdYy/surbZYCqUqN12mjVdpkdbSJCotadxXUx666ZUSEf5LI1fhMaEutf8EAAD//4YyC9k=" } diff --git a/x-pack/filebeat/module/azure/platformlogs/_meta/fields.yml b/x-pack/filebeat/module/azure/platformlogs/_meta/fields.yml index 9f34d746114a..783c7604376c 100644 --- a/x-pack/filebeat/module/azure/platformlogs/_meta/fields.yml +++ b/x-pack/filebeat/module/azure/platformlogs/_meta/fields.yml @@ -56,6 +56,10 @@ type: keyword description: > ActivityId + - name: identity_name + type: keyword + description: | + Identity name - name: properties type: flattened description: > diff --git a/x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml index 3ddb92eb6de2..c183126cc6ac 100644 --- a/x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml @@ -15,6 +15,12 @@ processors: - json: field: message target_field: azure.platformlogs +- rename: + field: azure.platformlogs.identity + target_field: azure.platformlogs.identity_name + ignore_missing: true + description: 'Rename the field to `identity_name` to avoid conflicts with the `identity` containing a JSON object.' + if: "ctx.azure?.platformlogs?.identity instanceof String" - date: field: azure.platformlogs.time target_field: '@timestamp' diff --git a/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-identity-raw.log b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-identity-raw.log new file mode 100644 index 000000000000..72541102c819 --- /dev/null +++ b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-identity-raw.log @@ -0,0 +1 @@ +{"Cloud":"AzureCloud","Environment":"prod","category":"kube-audit","ccpNamespace":"5e4bf4baee195b00017cdbfa","identity":"Michael Dell","operationName":"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read","properties":{"log":"{\"kind\":\"Event\"}","pod":"kube-apiserver-666bd4b459-hjgdc"},"resourceId":"/SUBSCRIPTIONS/70BD6E77-4B1E-4835-8896-DB77B8EEF364/RESOURCEGROUPS/OBS-INFRASTRUCTURE/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/OBSKUBE","time":"2020-11-09T10:57:31.0000000Z"} diff --git a/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-identity-raw.log-expected.json b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-identity-raw.log-expected.json new file mode 100644 index 000000000000..3a68b737d29a --- /dev/null +++ b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-identity-raw.log-expected.json @@ -0,0 +1,32 @@ +[ + { + "@timestamp": "2020-11-09T10:57:31.000Z", + "azure.platformlogs.Cloud": "AzureCloud", + "azure.platformlogs.Environment": "prod", + "azure.platformlogs.category": "kube-audit", + "azure.platformlogs.ccpNamespace": "5e4bf4baee195b00017cdbfa", + "azure.platformlogs.event_category": "Administrative", + "azure.platformlogs.identity_name": "Michael Dell", + "azure.platformlogs.operation_name": "Microsoft.ContainerService/managedClusters/diagnosticLogs/Read", + "azure.platformlogs.properties.log.kind": "Event", + "azure.platformlogs.properties.pod": "kube-apiserver-666bd4b459-hjgdc", + "azure.resource.group": "OBS-INFRASTRUCTURE", + "azure.resource.id": "/SUBSCRIPTIONS/70BD6E77-4B1E-4835-8896-DB77B8EEF364/RESOURCEGROUPS/OBS-INFRASTRUCTURE/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/OBSKUBE", + "azure.resource.name": "OBSKUBE", + "azure.resource.provider": "MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS", + "azure.subscription_id": "70BD6E77-4B1E-4835-8896-DB77B8EEF364", + "cloud.provider": "azure", + "event.action": "Microsoft.ContainerService/managedClusters/diagnosticLogs/Read", + "event.dataset": "azure.platformlogs", + "event.kind": "event", + "event.module": "azure", + "event.original": "{\"Cloud\":\"AzureCloud\",\"Environment\":\"prod\",\"category\":\"kube-audit\",\"ccpNamespace\":\"5e4bf4baee195b00017cdbfa\",\"identity\":\"Michael Dell\",\"operationName\":\"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read\",\"properties\":{\"log\":\"{\\\"kind\\\":\\\"Event\\\"}\",\"pod\":\"kube-apiserver-666bd4b459-hjgdc\"},\"resourceId\":\"/SUBSCRIPTIONS/70BD6E77-4B1E-4835-8896-DB77B8EEF364/RESOURCEGROUPS/OBS-INFRASTRUCTURE/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/OBSKUBE\",\"time\":\"2020-11-09T10:57:31.0000000Z\"}", + "fileset.name": "platformlogs", + "input.type": "log", + "log.offset": 0, + "service.type": "azure", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file