[auditd]: set event.outcome value as per ECS specification

packages/auditd/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.1.2"
+  changes:
+    - description: Set event.outcome value according ECS specification
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3079
 - version: "2.1.1"
   changes:
     - description: Add documentation for multi-fields

packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json

@@ -21,7 +21,7 @@
                 "action": "mac_ipsec_event",
                 "kind": "event",
                 "original": "type=MAC_IPSEC_EVENT msg=audit(1485893834.891:18877201): op=SPD-delete auid=4294967295 ses=4294967295 res=1 src=192.168.2.0 src_prefixlen=24 dst=192.168.0.0 dst_prefixlen=16",
-                "outcome": "1"
+                "outcome": "success"
             },
             "source": {
                 "address": "192.168.2.0",
@@ -642,7 +642,7 @@
                 ],
                 "kind": "event",
                 "original": "node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1594053514.707:5): audit_failure=1 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 res=1",
-                "outcome": "1",
+                "outcome": "success",
                 "type": [
                     "change"
                 ]
@@ -1764,7 +1764,7 @@
                 ],
                 "kind": "event",
                 "original": "type=CONFIG_CHANGE msg=audit(1481077231.371:478): auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=\"add_rule\" key=(null) list=4 res=1",
-                "outcome": "1",
+                "outcome": "success",
                 "type": [
                     "change"
                 ]

packages/auditd/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -2114,10 +2114,21 @@ processors:
       ignore_failure: true
       field: auditd.log.msg
       target_field: message
-  - rename:
+  - set:
+      if: (ctx?.auditd?.log?.res != null && ["1", "success"].contains(ctx.auditd.log.res))
+      field: event.outcome
+      value: "success"
+      ignore_failure: true
+  - set:
+      if: (ctx?.auditd?.log?.res != null && ["0", "failed"].contains(ctx.auditd.log.res))
+      field: event.outcome
+      value: "failure"
+      ignore_failure: true
+  - set:
+      if: (ctx?.auditd?.log?.res != null && !["0", "1", "success", "failed"].contains(ctx.auditd.log.res))
+      field: event.outcome
+      value: "unknown"
       ignore_failure: true
-      field: auditd.log.res
-      target_field: event.outcome
    # The processor below populates process.args list from argN fields.
    #
    # It handles the common case of a complete record: Contains argc=N and a0 to aN-1,
@@ -2218,6 +2229,7 @@ processors:
         - auditd.log.epoch
         - auditd.log.copy
         - auditd.log.arch
+        - auditd.log.res
       ignore_failure: true
       ignore_missing: true
   - remove:

packages/auditd/data_stream/log/sample_event.json

@@ -1,11 +1,12 @@
 {
     "@timestamp": "2016-01-03T00:37:51.394Z",
     "agent": {
-        "ephemeral_id": "26e35ddc-258e-426f-87cf-40517f808d30",
-        "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
+        "ephemeral_id": "ef6d17d9-f955-48be-a4c5-6b4ea1fe9772",
+        "hostname": "docker-fleet-agent",
+        "id": "f386c08a-1dcf-444a-a259-9c33fa001606",
         "name": "docker-fleet-agent",
         "type": "filebeat",
-        "version": "8.0.0-beta1"
+        "version": "7.17.0"
     },
     "auditd": {
         "log": {
@@ -22,37 +23,36 @@
         "version": "8.0.0"
     },
     "elastic_agent": {
-        "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
+        "id": "f386c08a-1dcf-444a-a259-9c33fa001606",
         "snapshot": false,
-        "version": "8.0.0-beta1"
+        "version": "7.17.0"
     },
     "event": {
         "action": "proctitle",
         "agent_id_status": "verified",
         "dataset": "auditd.log",
-        "ingested": "2021-12-24T01:30:55Z",
+        "ingested": "2022-04-13T05:23:36Z",
         "kind": "event"
     },
     "host": {
         "architecture": "x86_64",
-        "containerized": true,
+        "containerized": false,
         "hostname": "docker-fleet-agent",
-        "id": "4ccba669f0df47fa3f57a9e4169ae7f1",
         "ip": [
-            "192.168.224.7"
+            "172.19.0.7"
         ],
         "mac": [
-            "02:42:c0:a8:e0:07"
+            "02:42:ac:13:00:07"
         ],
         "name": "docker-fleet-agent",
         "os": {
-            "codename": "Core",
-            "family": "redhat",
-            "kernel": "5.11.0-41-generic",
-            "name": "CentOS Linux",
-            "platform": "centos",
+            "codename": "focal",
+            "family": "debian",
+            "kernel": "5.10.104-linuxkit",
+            "name": "Ubuntu",
+            "platform": "ubuntu",
             "type": "linux",
-            "version": "7 (Core)"
+            "version": "20.04.3 LTS (Focal Fossa)"
         }
     },
     "input": {

packages/auditd/docs/README.md

@@ -20,11 +20,12 @@ An example event for `log` looks as following:
 {
     "@timestamp": "2016-01-03T00:37:51.394Z",
     "agent": {
-        "ephemeral_id": "26e35ddc-258e-426f-87cf-40517f808d30",
-        "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
+        "ephemeral_id": "ef6d17d9-f955-48be-a4c5-6b4ea1fe9772",
+        "hostname": "docker-fleet-agent",
+        "id": "f386c08a-1dcf-444a-a259-9c33fa001606",
         "name": "docker-fleet-agent",
         "type": "filebeat",
-        "version": "8.0.0-beta1"
+        "version": "7.17.0"
     },
     "auditd": {
         "log": {
@@ -41,37 +42,36 @@ An example event for `log` looks as following:
         "version": "8.0.0"
     },
     "elastic_agent": {
-        "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
+        "id": "f386c08a-1dcf-444a-a259-9c33fa001606",
         "snapshot": false,
-        "version": "8.0.0-beta1"
+        "version": "7.17.0"
     },
     "event": {
         "action": "proctitle",
         "agent_id_status": "verified",
         "dataset": "auditd.log",
-        "ingested": "2021-12-24T01:30:55Z",
+        "ingested": "2022-04-13T05:23:36Z",
         "kind": "event"
     },
     "host": {
         "architecture": "x86_64",
-        "containerized": true,
+        "containerized": false,
         "hostname": "docker-fleet-agent",
-        "id": "4ccba669f0df47fa3f57a9e4169ae7f1",
         "ip": [
-            "192.168.224.7"
+            "172.19.0.7"
         ],
         "mac": [
-            "02:42:c0:a8:e0:07"
+            "02:42:ac:13:00:07"
         ],
         "name": "docker-fleet-agent",
         "os": {
-            "codename": "Core",
-            "family": "redhat",
-            "kernel": "5.11.0-41-generic",
-            "name": "CentOS Linux",
-            "platform": "centos",
+            "codename": "focal",
+            "family": "debian",
+            "kernel": "5.10.104-linuxkit",
+            "name": "Ubuntu",
+            "platform": "ubuntu",
             "type": "linux",
-            "version": "7 (Core)"
+            "version": "20.04.3 LTS (Focal Fossa)"
         }
     },
     "input": {

packages/auditd/manifest.yml

@@ -1,6 +1,6 @@
 name: auditd
 title: Auditd
-version: 2.1.1
+version: 2.1.2
 release: ga
 description: Collect logs from Linux audit daemon with Elastic Agent.
 type: integration