Auditbeat: Set file.origin type to keyword

The `file.origin` field is set by auditbeat's file_integrity module under macOs. This field was set to `text` type instead of `keyword`.
elastic · Feb 4, 2019 · 30703a6 · 30703a6
1 parent 0fd59ee
commit 30703a6
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 3 deletions.
diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
@@ -22,6 +22,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Auditbeat*
 
+- Field `file.origin` changed type from `text` to `keyword`. {pull}10544[10544]
+
 *Filebeat*
 
 - Modify apache/error dataset to follow ECS. {pull}8963[8963]

diff --git a/auditbeat/_meta/fields.common.yml b/auditbeat/_meta/fields.common.yml
@@ -19,7 +19,7 @@
       description: Set if the file has the `setgid` bit set. Omitted otherwise.
 
     - name: origin
-      type: text
+      type: keyword
       description: >
           An array of strings describing a possible external origin for
           this file. For example, the URL it was downloaded from. Only

diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
@@ -2610,7 +2610,7 @@ Set if the file has the `setgid` bit set. Omitted otherwise.
 *`file.origin`*::
 +
 --
-type: text
+type: keyword
 
 An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.
 

diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go