Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auditbeat populating unexpected value of ECS event.kind field #26790

Closed
MikePaquette opened this issue Jul 8, 2021 · 5 comments
Closed

Auditbeat populating unexpected value of ECS event.kind field #26790

MikePaquette opened this issue Jul 8, 2021 · 5 comments
Labels
Auditbeat bug v7.14.0

Comments

@MikePaquette
Copy link

  • Version: 7.14.0 BC1

  • Operating System: macOS

  • Discuss Forum URL: None

  • Steps to Reproduce: install auditbeat on macOS system. Force quit a process. Look for error events from auditbeat.

  • Detected by: custom security solution detection rule "ECS Check: event.kind contains disallowed value"

  • Expected behavior: event.kind should be one of {alert, event, metric, state, pipeline_error, signal} per docs.

  • Observed behavior: event.kind: error

  • Screenshot:
    image

  • Actual event output below:

{
  "_id": "CKr5hXoBUjcwjRyPwBwZ",
  "_index": "auditbeat-7.14.0-2021.07.02-000001",
  "_score": "1",
  "_type": "_doc",
  "@timestamp": "2021-07-08T11:56:13.554Z",
  "agent": {
    "ephemeral_id": "49cab721-c74e-4b10-9142-a079118a1c58",
    "hostname": "Michaels-MBP-2",
    "id": "4bfb3e08-8aa3-4b86-881d-def2afd8814b",
    "name": "Michaels-MBP-2",
    "type": "auditbeat",
    "version": "7.14.0"
  },
  "ecs": {
    "version": "1.10.0"
  },
  "error": {
    "message": "failed to load process information for PID 96897: no such process"
  },
  "event": {
    "action": "process_error",
    "category": "process",
    "dataset": "process",
    "kind": "error",
    "module": "system",
    "type": "info"
  },
  "host": {
    "architecture": "x86_64",
    "hostname": "Michaels-MBP-2",
    "id": "2DF82D82-59FF-50A0-ADB3-A6909510EE98",
    "ip": "redacted",
    "mac": "redacted",
    "name": "Michaels-MBP-2",
    "os": {
      "build": "18G9028",
      "family": "darwin",
      "kernel": "18.7.0",
      "name": "Mac OS X",
      "platform": "darwin",
      "type": "macos",
      "version": "10.14.6"
    }
  },
  "message": "ERROR for PID 96897: failed to load process information for PID 96897: no such process",
  "process": {
    "args": "",
    "entity_id": "fKnIFC6aqP71hqdu",
    "executable": "",
    "name": "",
    "pid": "96897",
    "ppid": "0",
    "start": "0001-01-01T00:00:00.000Z",
    "working_directory": ""
  },
  "service": {
    "type": "system"
  }
}
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 8, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 8, 2021
@legoguy1000
Copy link
Contributor

This was fixed last year by @marc-gr, #20685. It looks like it was never backported which is why it's still in the 7.x code.

@marc-gr
Copy link
Contributor

marc-gr commented Jul 14, 2021

IIRC at the time we concluded it was a breaking change so we did not backport it. It is something we can discuss still @MikePaquette

cc @andrewkroh @jamiehynds

@andrewkroh
Copy link
Member

I think we can change it without affecting much. I opened #27721.

@andrewkroh andrewkroh mentioned this issue Sep 2, 2021
Merged
@andrewkroh
Copy link
Member

Backported this fix for 7.16.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Auditbeat bug v7.14.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@andrewkroh @legoguy1000 @marc-gr @elasticmachine @MikePaquette