diff --git a/packages/microsoft_sqlserver/changelog.yml b/packages/microsoft_sqlserver/changelog.yml index 30b70095a86..3fad20a451b 100644 --- a/packages/microsoft_sqlserver/changelog.yml +++ b/packages/microsoft_sqlserver/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.4.3" + changes: + - description: Fix field conflict for `winlog.record_id` + type: bugfix + link: https://github.com/elastic/integrations/pull/2894 - version: "0.4.2" changes: - description: Fix mapper_parsing_exception when parsing sqlserver.audit.event_time. diff --git a/packages/microsoft_sqlserver/data_stream/audit/_dev/test/pipeline/test-events.json-expected.json b/packages/microsoft_sqlserver/data_stream/audit/_dev/test/pipeline/test-events.json-expected.json index aeb8ed769ad..98966f65e56 100644 --- a/packages/microsoft_sqlserver/data_stream/audit/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/microsoft_sqlserver/data_stream/audit/_dev/test/pipeline/test-events.json-expected.json @@ -124,7 +124,7 @@ "Classic" ], "provider_name": "MSSQLSERVER$AUDIT", - "record_id": 17607, + "record_id": "17607", "user": { "domain": "NT SERVICE", "identifier": "S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003", @@ -258,7 +258,7 @@ "Classic" ], "provider_name": "MSSQLSERVER$AUDIT", - "record_id": 26134, + "record_id": "26134", "user": { "domain": "NT SERVICE", "identifier": "S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003", @@ -389,7 +389,7 @@ "Classic" ], "provider_name": "MSSQLSERVER$AUDIT", - "record_id": 27810, + "record_id": "27810", "user": { "domain": "NT SERVICE", "identifier": "S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003", @@ -516,7 +516,7 @@ "Classic" ], "provider_name": "MSSQLSERVER$AUDIT", - "record_id": 28002, + "record_id": "28002", "user": { "domain": "NT SERVICE", "identifier": "S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003", diff --git a/packages/microsoft_sqlserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_sqlserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 79ef2ef360a..2f4f84e8d04 100644 --- a/packages/microsoft_sqlserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/microsoft_sqlserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -1229,6 +1229,11 @@ processors: - set: field: user.target.id copy_from: sqlserver.audit.target_server_principal_sid + +- convert: + field: winlog.record_id + type: string + ignore_missing: true ## # Clean up ## diff --git a/packages/microsoft_sqlserver/data_stream/audit/fields/winlog.yml b/packages/microsoft_sqlserver/data_stream/audit/fields/winlog.yml index 841f3550d60..075d40345dc 100644 --- a/packages/microsoft_sqlserver/data_stream/audit/fields/winlog.yml +++ b/packages/microsoft_sqlserver/data_stream/audit/fields/winlog.yml @@ -72,7 +72,7 @@ The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - name: record_id - type: long + type: keyword required: true description: > The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. diff --git a/packages/microsoft_sqlserver/docs/README.md b/packages/microsoft_sqlserver/docs/README.md index 3df418c8a96..7859f293121 100644 --- a/packages/microsoft_sqlserver/docs/README.md +++ b/packages/microsoft_sqlserver/docs/README.md @@ -133,7 +133,7 @@ The SQL Server audit dataset provides events from the configured Windows event l | winlog.process.thread.id | | long | | winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | | winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | long | +| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | | winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | | winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | | winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | diff --git a/packages/microsoft_sqlserver/manifest.yml b/packages/microsoft_sqlserver/manifest.yml index eca9e5b76f0..d82751a9b1c 100644 --- a/packages/microsoft_sqlserver/manifest.yml +++ b/packages/microsoft_sqlserver/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: microsoft_sqlserver title: "Microsoft SQL Server" -version: 0.4.2 +version: 0.4.3 license: basic description: Collect audit events from Microsoft SQL Server with Elastic Agent. type: integration