From 39217978ee2dc2b5a4a95cf62e119b4f2fd52ad6 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Thu, 23 Jun 2022 17:48:14 -0700 Subject: [PATCH] Add correct mapping for event.created data_streams that could use httpjson as an input need a field mapping for event.created because httpjson creates that field. - apache: error - atlassian_bitbucket: audit - carbon_black_cloud: alert, asset_vulnerability_summary, audit, endpoint_event, watchlist_hit - github: audit - httpjson: generic - snyk: audit, vulnerabilities - winlog: winlog Closes #3577 --- packages/apache/changelog.yml | 5 +++++ packages/apache/data_stream/error/fields/ecs.yml | 2 ++ packages/apache/docs/README.md | 1 + packages/apache/manifest.yml | 2 +- packages/atlassian_bitbucket/changelog.yml | 5 +++++ .../atlassian_bitbucket/data_stream/audit/fields/ecs.yml | 2 ++ packages/atlassian_bitbucket/docs/README.md | 1 + packages/atlassian_bitbucket/manifest.yml | 2 +- packages/carbon_black_cloud/changelog.yml | 5 +++++ packages/carbon_black_cloud/data_stream/alert/fields/ecs.yml | 2 ++ .../data_stream/asset_vulnerability_summary/fields/ecs.yml | 2 ++ packages/carbon_black_cloud/data_stream/audit/fields/ecs.yml | 2 ++ .../data_stream/endpoint_event/fields/ecs.yml | 2 ++ .../data_stream/watchlist_hit/fields/ecs.yml | 2 ++ packages/carbon_black_cloud/docs/README.md | 5 +++++ packages/carbon_black_cloud/manifest.yml | 2 +- packages/github/changelog.yml | 5 +++++ packages/github/data_stream/audit/fields/ecs.yml | 2 ++ packages/github/docs/README.md | 1 + packages/github/manifest.yml | 2 +- packages/httpjson/changelog.yml | 5 +++++ packages/httpjson/data_stream/generic/fields/ecs.yml | 2 ++ packages/httpjson/manifest.yml | 2 +- packages/snyk/changelog.yml | 5 +++++ packages/snyk/data_stream/audit/fields/ecs.yml | 2 ++ packages/snyk/data_stream/vulnerabilities/fields/ecs.yml | 2 ++ packages/snyk/docs/README.md | 2 ++ packages/snyk/manifest.yml | 2 +- packages/winlog/changelog.yml | 5 +++++ packages/winlog/data_stream/winlog/fields/ecs.yml | 2 ++ packages/winlog/docs/README.md | 1 + packages/winlog/manifest.yml | 2 +- 32 files changed, 77 insertions(+), 7 deletions(-) diff --git a/packages/apache/changelog.yml b/packages/apache/changelog.yml index ca313e8e6c3..643198d6722 100644 --- a/packages/apache/changelog.yml +++ b/packages/apache/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.4.1" + changes: + - description: Add correct field mapping for event.created + type: bugfix + link: https://github.com/elastic/integrations/pull/3579 - version: "1.4.0" changes: - description: Migration of tile map to map in logs dashboard diff --git a/packages/apache/data_stream/error/fields/ecs.yml b/packages/apache/data_stream/error/fields/ecs.yml index 0a88a11039a..e74b895fa6c 100644 --- a/packages/apache/data_stream/error/fields/ecs.yml +++ b/packages/apache/data_stream/error/fields/ecs.yml @@ -4,6 +4,8 @@ name: error.message - external: ecs name: event.category +- external: ecs + name: event.created - external: ecs name: event.kind - external: ecs diff --git a/packages/apache/docs/README.md b/packages/apache/docs/README.md index 2d02c2a8a19..2ef8d6fee40 100644 --- a/packages/apache/docs/README.md +++ b/packages/apache/docs/README.md @@ -143,6 +143,7 @@ Error logs collects the Apache error logs. | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | error.message | Error message. | match_only_text | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | diff --git a/packages/apache/manifest.yml b/packages/apache/manifest.yml index 06b84d4b75a..68cd2cad7c6 100644 --- a/packages/apache/manifest.yml +++ b/packages/apache/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: apache title: Apache HTTP Server -version: 1.4.0 +version: 1.4.1 license: basic description: Collect logs and metrics from Apache servers with Elastic Agent. type: integration diff --git a/packages/atlassian_bitbucket/changelog.yml b/packages/atlassian_bitbucket/changelog.yml index b19d60a2d96..861f0da4965 100644 --- a/packages/atlassian_bitbucket/changelog.yml +++ b/packages/atlassian_bitbucket/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.2" + changes: + - description: Add correct field mapping for event.created + type: bugfix + link: https://github.com/elastic/integrations/pull/3579 - version: "1.2.1" changes: - description: Update Readme diff --git a/packages/atlassian_bitbucket/data_stream/audit/fields/ecs.yml b/packages/atlassian_bitbucket/data_stream/audit/fields/ecs.yml index 24fa8e21c73..60d7aabde36 100644 --- a/packages/atlassian_bitbucket/data_stream/audit/fields/ecs.yml +++ b/packages/atlassian_bitbucket/data_stream/audit/fields/ecs.yml @@ -2,6 +2,8 @@ name: ecs.version - external: ecs name: error.message +- external: ecs + name: event.created - external: ecs name: tags - external: ecs diff --git a/packages/atlassian_bitbucket/docs/README.md b/packages/atlassian_bitbucket/docs/README.md index b4d6f148d98..374e23b4c2f 100644 --- a/packages/atlassian_bitbucket/docs/README.md +++ b/packages/atlassian_bitbucket/docs/README.md @@ -43,6 +43,7 @@ The Bitbucket integration collects audit logs from the audit log files or the au | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | error.message | Error message. | match_only_text | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | group.id | Unique identifier for the group on the system/platform. | keyword | diff --git a/packages/atlassian_bitbucket/manifest.yml b/packages/atlassian_bitbucket/manifest.yml index 5e743b0222b..41936ae849a 100644 --- a/packages/atlassian_bitbucket/manifest.yml +++ b/packages/atlassian_bitbucket/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: atlassian_bitbucket title: Atlassian Bitbucket -version: 1.2.1 +version: 1.2.2 license: basic description: Collect logs from Atlassian Bitbucket with Elastic Agent. type: integration diff --git a/packages/carbon_black_cloud/changelog.yml b/packages/carbon_black_cloud/changelog.yml index 50baa53bb7d..83c0fdd168f 100644 --- a/packages/carbon_black_cloud/changelog.yml +++ b/packages/carbon_black_cloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.3" + changes: + - description: Add correct field mapping for event.created + type: bugfix + link: https://github.com/elastic/integrations/issues/3579 - version: "1.0.2" changes: - description: Fix dashboard issues. diff --git a/packages/carbon_black_cloud/data_stream/alert/fields/ecs.yml b/packages/carbon_black_cloud/data_stream/alert/fields/ecs.yml index 14d18fd1b8d..b35ce472b72 100644 --- a/packages/carbon_black_cloud/data_stream/alert/fields/ecs.yml +++ b/packages/carbon_black_cloud/data_stream/alert/fields/ecs.yml @@ -1,5 +1,7 @@ - external: ecs name: ecs.version +- external: ecs + name: event.created - external: ecs name: event.end - external: ecs diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/ecs.yml b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/ecs.yml index ca4e53e6c5f..7d6e28b19f7 100644 --- a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/ecs.yml +++ b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/ecs.yml @@ -1,5 +1,7 @@ - external: ecs name: ecs.version +- external: ecs + name: event.created - external: ecs name: event.original - external: ecs diff --git a/packages/carbon_black_cloud/data_stream/audit/fields/ecs.yml b/packages/carbon_black_cloud/data_stream/audit/fields/ecs.yml index 231d0e7c061..3edf889adfa 100644 --- a/packages/carbon_black_cloud/data_stream/audit/fields/ecs.yml +++ b/packages/carbon_black_cloud/data_stream/audit/fields/ecs.yml @@ -4,6 +4,8 @@ name: client.user.id - external: ecs name: ecs.version +- external: ecs + name: event.created - external: ecs name: event.id - external: ecs diff --git a/packages/carbon_black_cloud/data_stream/endpoint_event/fields/ecs.yml b/packages/carbon_black_cloud/data_stream/endpoint_event/fields/ecs.yml index 177effae81a..bc5bb4e57e8 100644 --- a/packages/carbon_black_cloud/data_stream/endpoint_event/fields/ecs.yml +++ b/packages/carbon_black_cloud/data_stream/endpoint_event/fields/ecs.yml @@ -12,6 +12,8 @@ name: ecs.version - external: ecs name: event.action +- external: ecs + name: event.created - external: ecs name: event.id - external: ecs diff --git a/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/ecs.yml b/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/ecs.yml index e4856c9602b..8081e9ed996 100644 --- a/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/ecs.yml +++ b/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/ecs.yml @@ -1,5 +1,7 @@ - external: ecs name: ecs.version +- external: ecs + name: event.created - external: ecs name: event.kind - external: ecs diff --git a/packages/carbon_black_cloud/docs/README.md b/packages/carbon_black_cloud/docs/README.md index b07163713d4..62c93e153bf 100644 --- a/packages/carbon_black_cloud/docs/README.md +++ b/packages/carbon_black_cloud/docs/README.md @@ -138,6 +138,7 @@ An example event for `audit` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Event dataset. | constant_keyword | | event.id | Unique ID to describe the event. | keyword | | event.module | Event module. | constant_keyword | @@ -375,6 +376,7 @@ An example event for `alert` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Event dataset. | constant_keyword | | event.end | event.end contains the date when the event ended or when the activity was last observed. | date | | event.id | Unique ID to describe the event. | keyword | @@ -610,6 +612,7 @@ An example event for `endpoint_event` looks as following: | dll.path | Full file path of the library. | keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Event dataset. | constant_keyword | | event.id | Unique ID to describe the event. | keyword | | event.module | Event module. | constant_keyword | @@ -849,6 +852,7 @@ An example event for `watchlist_hit` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Event dataset. | constant_keyword | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | @@ -1013,6 +1017,7 @@ An example event for `asset_vulnerability_summary` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | diff --git a/packages/carbon_black_cloud/manifest.yml b/packages/carbon_black_cloud/manifest.yml index a8ab1f00f15..d37f10abcf3 100644 --- a/packages/carbon_black_cloud/manifest.yml +++ b/packages/carbon_black_cloud/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: carbon_black_cloud title: VMware Carbon Black Cloud -version: 1.0.2 +version: 1.0.3 license: basic description: Collect logs from VMWare Carbon Black Cloud with Elastic Agent. type: integration diff --git a/packages/github/changelog.yml b/packages/github/changelog.yml index 2fd05bc9bc9..e76d9707a0e 100644 --- a/packages/github/changelog.yml +++ b/packages/github/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.2" + changes: + - description: Add correct field mapping for event.created + type: bugfix + link: https://github.com/elastic/integrations/pull/3579 - version: "1.0.1" changes: - description: Update readme diff --git a/packages/github/data_stream/audit/fields/ecs.yml b/packages/github/data_stream/audit/fields/ecs.yml index 2a91808be38..e52b6ef0f4b 100644 --- a/packages/github/data_stream/audit/fields/ecs.yml +++ b/packages/github/data_stream/audit/fields/ecs.yml @@ -8,6 +8,8 @@ external: ecs - name: event.category external: ecs +- name: event.created + external: ecs - name: event.id external: ecs - name: event.ingested diff --git a/packages/github/docs/README.md b/packages/github/docs/README.md index e7f451bfff4..4e1f0bb9329 100644 --- a/packages/github/docs/README.md +++ b/packages/github/docs/README.md @@ -25,6 +25,7 @@ To use this integration, you must be an organization owner, and you must use an | error.message | Error message. | match_only_text | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.id | Unique ID to describe the event. | keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | diff --git a/packages/github/manifest.yml b/packages/github/manifest.yml index ccad2f973d2..027b7e2a3be 100644 --- a/packages/github/manifest.yml +++ b/packages/github/manifest.yml @@ -1,6 +1,6 @@ name: github title: GitHub -version: 1.0.1 +version: 1.0.2 release: ga description: Collect events from GitHub with Elastic Agent. type: integration diff --git a/packages/httpjson/changelog.yml b/packages/httpjson/changelog.yml index 3dc1d9689ef..de3cbba77b7 100644 --- a/packages/httpjson/changelog.yml +++ b/packages/httpjson/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.2.4" + changes: + - description: Add correct field mapping for event.created + type: bugfix + link: https://github.com/elastic/integrations/pull/3579 - version: "1.2.3" changes: - description: Fixes oauth2 config rendering diff --git a/packages/httpjson/data_stream/generic/fields/ecs.yml b/packages/httpjson/data_stream/generic/fields/ecs.yml index 1efcb5beb1c..1c3645d5f4e 100644 --- a/packages/httpjson/data_stream/generic/fields/ecs.yml +++ b/packages/httpjson/data_stream/generic/fields/ecs.yml @@ -1,4 +1,6 @@ - name: ecs.version external: ecs +- name: event.created + external: ecs - name: message external: ecs diff --git a/packages/httpjson/manifest.yml b/packages/httpjson/manifest.yml index 3696038e206..adb9ec7de6e 100644 --- a/packages/httpjson/manifest.yml +++ b/packages/httpjson/manifest.yml @@ -3,7 +3,7 @@ name: httpjson title: Custom HTTPJSON Input description: Collect custom data from REST API's with Elastic Agent. type: integration -version: 1.2.3 +version: 1.2.4 release: ga conditions: kibana.version: "^7.16.0 || ^8.0.0" diff --git a/packages/snyk/changelog.yml b/packages/snyk/changelog.yml index 5ac030d0c12..c520a4c6da2 100644 --- a/packages/snyk/changelog.yml +++ b/packages/snyk/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Add correct field mapping for event.created + type: bugfix + link: https://github.com/elastic/integrations/pull/3579 - version: "1.2.0" changes: - description: Update to ECS 8.2 diff --git a/packages/snyk/data_stream/audit/fields/ecs.yml b/packages/snyk/data_stream/audit/fields/ecs.yml index 7cf6dad78bc..f243288cc96 100644 --- a/packages/snyk/data_stream/audit/fields/ecs.yml +++ b/packages/snyk/data_stream/audit/fields/ecs.yml @@ -1,3 +1,5 @@ +- name: event.created + external: ecs - name: event.original external: ecs - name: tags diff --git a/packages/snyk/data_stream/vulnerabilities/fields/ecs.yml b/packages/snyk/data_stream/vulnerabilities/fields/ecs.yml index 89fef6016f5..0e1e5e77d09 100644 --- a/packages/snyk/data_stream/vulnerabilities/fields/ecs.yml +++ b/packages/snyk/data_stream/vulnerabilities/fields/ecs.yml @@ -1,3 +1,5 @@ +- name: event.created + external: ecs - name: event.original external: ecs - name: tags diff --git a/packages/snyk/docs/README.md b/packages/snyk/docs/README.md index 26d4281e6fa..93fc4dd8694 100644 --- a/packages/snyk/docs/README.md +++ b/packages/snyk/docs/README.md @@ -81,6 +81,7 @@ An example event for `audit` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | @@ -273,6 +274,7 @@ An example event for `vulnerabilities` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | diff --git a/packages/snyk/manifest.yml b/packages/snyk/manifest.yml index deb85b92650..a1eeaea0799 100644 --- a/packages/snyk/manifest.yml +++ b/packages/snyk/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: snyk title: "Snyk" -version: 1.2.0 +version: 1.2.1 license: basic description: "Collect logs from Snyk API with Elastic Agent." type: integration diff --git a/packages/winlog/changelog.yml b/packages/winlog/changelog.yml index 3ceb0a3ec5b..55131bcf24c 100644 --- a/packages/winlog/changelog.yml +++ b/packages/winlog/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.5.2" + changes: + - description: Add correct field mapping for event.created + type: bugfix + link: https://github.com/elastic/integrations/pull/3579 - version: "1.5.1" changes: - description: update readme added link to Microsoft documentation and reworded a link diff --git a/packages/winlog/data_stream/winlog/fields/ecs.yml b/packages/winlog/data_stream/winlog/fields/ecs.yml index e6ed801be2a..a59c37e018d 100644 --- a/packages/winlog/data_stream/winlog/fields/ecs.yml +++ b/packages/winlog/data_stream/winlog/fields/ecs.yml @@ -1,5 +1,7 @@ - name: ecs.version external: ecs +- name: event.created + external: ecs - name: log.level external: ecs - name: message diff --git a/packages/winlog/docs/README.md b/packages/winlog/docs/README.md index 3279e226a23..b29900062c8 100644 --- a/packages/winlog/docs/README.md +++ b/packages/winlog/docs/README.md @@ -30,6 +30,7 @@ To achieve this, `renderXml` needs to be set to `1` in your [inputs.conf](https: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | input.type | Type of Filebeat input. | keyword | diff --git a/packages/winlog/manifest.yml b/packages/winlog/manifest.yml index c4b8e3bf603..3732b67a42f 100644 --- a/packages/winlog/manifest.yml +++ b/packages/winlog/manifest.yml @@ -3,7 +3,7 @@ name: winlog title: Custom Windows Event Logs description: Collect and parse logs from any Windows event log channel with Elastic Agent. type: integration -version: 1.5.1 +version: 1.5.2 release: ga conditions: kibana.version: '^7.16.0 || ^8.0.0'