[Filebeat][Gsuite] Remap client.* -> source.* and add event.ingested (#…

…19841) * Remap client.* -> source.* and add event.ingested * Ignore event.ingested in tests * Regenerate test files * Regenerate admin test files
elastic · Jul 14, 2020 · 5cbc3d4 · 5cbc3d4
1 parent eb9d87b
commit 5cbc3d4
Show file tree

Hide file tree

Showing 26 changed files with 4,880 additions and 4,868 deletions.
diff --git a/filebeat/docs/modules/gsuite.asciidoc b/filebeat/docs/modules/gsuite.asciidoc
@@ -93,13 +93,16 @@ This is a list of GSuite Reports fields that are mapped to ECS.
 | items[].id.applicationName | event.provider                                          |
 | items[].events[].name      | event.action                                            |
 | items[].customerId         | organization.id                                         |
-| items[].ipAddress          | client.ip, related.ip, client.as.*, client.geo.*        |
-| items[].actor.email        | client.user.email, client.user.name, client.user.domain |
-| items[].actor.profileId    | client.user.id                                          |
+| items[].ipAddress          | source.ip, related.ip, source.as.*, source.geo.*        |
+| items[].actor.email        | source.user.email, source.user.name, source.user.domain |
+| items[].actor.profileId    | source.user.id                                          |
 |=======================================================================================
 
 These are the common ones to all filesets.
 
+Note: GSuite defaults to a 2 hours polling interval because Google admin lag times can go from
+some minutes up to 3 days. For more details on this, please read more https://support.google.com/a/answer/7061566[here].
+
 :has-dashboards!:
 
 :modulename!:

diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py
@@ -279,6 +279,9 @@ def clean_keys(obj):
         delete_key(obj, "event.ingested")
         delete_key(obj, "@timestamp")
 
+    if obj["event.module"] == "gsuite":
+        delete_key(obj, "event.ingested")
+
 
 def delete_key(obj, key):
     if key in obj:

diff --git a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc
@@ -88,13 +88,16 @@ This is a list of GSuite Reports fields that are mapped to ECS.
 | items[].id.applicationName | event.provider                                          |
 | items[].events[].name      | event.action                                            |
 | items[].customerId         | organization.id                                         |
-| items[].ipAddress          | client.ip, related.ip, client.as.*, client.geo.*        |
-| items[].actor.email        | client.user.email, client.user.name, client.user.domain |
-| items[].actor.profileId    | client.user.id                                          |
+| items[].ipAddress          | source.ip, related.ip, source.as.*, source.geo.*        |
+| items[].actor.email        | source.user.email, source.user.name, source.user.domain |
+| items[].actor.profileId    | source.user.id                                          |
 |=======================================================================================
 
 These are the common ones to all filesets.
 
+Note: GSuite defaults to a 2 hours polling interval because Google admin lag times can go from
+some minutes up to 3 days. For more details on this, please read more https://support.google.com/a/answer/7061566[here].
+
 :has-dashboards!:
 
 :modulename!: