Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update metadata fields in logcollector events #533

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update metadata fields in logcollector events #533

wants to merge 1 commit into from

Conversation

cborla
Copy link
Member

@cborla cborla commented Jan 22, 2025
edited
Loading

Related issue
Close #530

Description

This PR addresses the new metadata format in Logcollector and Inventory modules

Changes Made

  • Updated Logcollector to assign specific collector names to the event.module field dynamically.
  • Adjusted related configurations and mappings for compatibility.

Testing Details

  • Tested scenarios include data collection.

Checklist

  • Implementation aligned with specifications.
  • End-to-end testing completed.
  • Documentation updated if necessary.

@cborla cborla requested a review from vikman90 January 22, 2025 22:20
@cborla cborla self-assigned this Jan 22, 2025
@cborla cborla force-pushed the enhancement/530-update-metadata-fields-in-logcollector-events-to-match-specification branch 3 times, most recently from fa992a3 to 3b7d75a Compare January 22, 2025 22:27
@cborla cborla force-pushed the enhancement/530-update-metadata-fields-in-logcollector-events-to-match-specification branch from 3b7d75a to 5f4bd9f Compare January 23, 2025 14:17
@cborla
Copy link
Member Author

cborla commented Jan 23, 2025

Evidence of events collected.

The following events were obtained using the mock server.

Logcollector stateless events

File event

{
    "collector": "file",
    "module": "logcollector"
}
{
    "event":
    {
        "created": "2025-01-22T21:45:01.916Z",
        "original": "2025-01-22T18:45:01.555243-03:00 chb-VBox CRON[23505]: pam_unix(cron:session): session closed for user root"
    },
    "log":
    {
        "file":
        {
            "path": "/var/log/auth.log"
        }
    }
}

Journald event

{
    "collector": "journald",
    "module": "logcollector"
}
{
    "event":
    {
        "created": "2025-01-22T21:54:06.056Z",
        "original": "Starting NetworkManager-dispatcher.service - Network Manager Script Dispatcher Service...",
        "provider": "init.scope"
    }
}

Inventory stateless events

Processes event

{"collector":"processes","module":"inventory"}
{"event":{"action":"process-updated","category":["process"],"changed_fields":["process.start"],"created":"2025-01-22T21:42:28.012Z","reason":"Process systemd (PID: systemd) was updated","type":["change"]},"process":{"args":"splash","command_line":"/sbin/init","group":{"id":"root"},"name":"systemd","parent":{"pid":0},"pid":"1","previous":{"start":1737462341},"real_group":{"id":"root"},"real_user":{"id":"root"},"saved_group":{"id":"root"},"saved_user":{"id":"root"},"start":1737556137,"thread":{"id":1},"tty":{"char_device":{"major":0}},"user":{"id":"root"}}}

Hardware event

{"collector":"hardware","module":"inventory"}
{"event":{"action":"hardware-updated","category":["host"],"changed_fields":["host.memory.free","host.memory.used.percentage"],"created":"2025-01-22T21:42:28.012Z","reason":"Hardware changed","type":["change"]},"host":{"cpu":{"cores":4,"name":"AMD Ryzen 7 3500U with Radeon Vega Mobile Gfx","speed":2097},"memory":{"free":7605896,"previous":{"free":7671308},"total":9706920,"used":{"percentage":22,"previous":{"percentage":21}}}},"observer":{"serial_number":"0"}}

Inventory statefull events

Networks event

{"collector":"networks","id":"2026039b88b91e4e2e66408f624c0b9318983271","module":"inventory","operation":"update"}
{"@timestamp":"2025-01-22T21:42:28.012Z","host":{"ip":["192.168.56.102"],"mac":"08:00:27:70:ef:90","network":{"egress":{"bytes":1005162,"drops":0,"errors":0,"packets":15705},"ingress":{"bytes":1159956,"drops":0,"errors":0,"packets":16269}}},"interface":{"mtu":1500,"state":"up","type":"ethernet"},"network":{"broadcast":["192.168.56.255"],"dhcp":null,"gateway":[],"metric":"101","netmask":["255.255.255.0"],"protocol":null,"type":"ipv4"},"observer":{"ingress":{"interface":{"alias":"","name":"enp0s8"}}}}

Ports event

{"collector":"ports","id":"664c1e64427c4c987f34c1f859c7f885775d2a3d","module":"inventory","operation":"create"}
{"@timestamp":"2025-01-22T21:42:28.012Z","destination":{"ip":["::"],"port":0},"file":{"inode":15534},"host":{"network":{"egress":{"queue":0},"ingress":{"queue":0}}},"interface":{"state":"listening"},"network":{"protocol":"tcp6"},"process":{"name":"smbd","pid":1995},"source":{"ip":["::"],"port":139}}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vikman90 vikman90 Awaiting requested review from vikman90

At least 1 approving review is required to merge this pull request.

Assignees

@cborla cborla

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update metadata fields in Logcollector events to match specification
1 participant
@cborla