Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat] Cherry-pick #9732 to 6.6: User metricset: Fetch groups by user #9872

Merged
merged 1 commit into from
Jan 4, 2019
Merged

[Auditbeat] Cherry-pick #9732 to 6.6: User metricset: Fetch groups by user #9872

merged 1 commit into from
Jan 4, 2019

Conversation

cwurm
Copy link
Contributor

@cwurm cwurm commented Jan 3, 2019

Cherry-pick of PR #9732 to 6.6 branch. Original message:

Currently, the user metricset reads all users, then reads all groups and their members and matches one to the other. This can be a problem when groups have a lot of members (see #9679).

This changes to looking up groups of individual users.

It also changes the types of the system.audit.user.uid and system.audit.user.gid fields from integer to keyword to accommodate Windows in the future (Go's User and Group structs use strings, so does ECS user.id/group.id).

Because the internal structure of the User struct changes, this invalidates previous beat.db files. I have not added any conversion logic this time since this metricset is not released yet - but we will have to do it in the future.

Fixes #9679.

[Auditbeat] User metricset: Fetch groups by user (elastic#9732)
3202128 
Changes the user metricset to looking up groups by user instead of users by groups.

Also changes the types of the system.audit.user.uid and system.audit.user.gid fields from integer to keyword to accommodate Windows in the future.

Fixes elastic#9679.

(cherry picked from commit 42421e9)
@cwurm cwurm changed the title Cherry-pick #9732 to 6.6: [Auditbeat] User metricset: Fetch groups by user [Auditbeat] Cherry-pick #9732 to 6.6: User metricset: Fetch groups by user Jan 3, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

webmat
webmat approved these changes Jan 3, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cwurm cwurm merged commit 4b6c147 into elastic:6.6 Jan 4, 2019
@cwurm cwurm deleted the backport_9732_6.6 branch January 4, 2019 11:03
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
[Auditbeat] Cherry-pick elastic#9732 to 6.6: User metricset: Fetch gr…
2f4c411 
…oups by user (elastic#9872)

Cherry-pick of PR elastic#9732 to 6.6 branch. Original message: 

Changes the user metricset to looking up groups by user instead of users by groups.

Also changes the types of the system.audit.user.uid and system.audit.user.gid fields from integer to keyword to accommodate Windows in the future.

Fixes elastic#9679.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webmat webmat webmat approved these changes

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
Auditbeat backport review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cwurm @elasticmachine @webmat @andrewkroh