Skip to content

[auditd]: set event.outcome value as per ECS specification #3079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 14, 2022
Merged

[auditd]: set event.outcome value as per ECS specification #3079

merged 3 commits into from
Apr 14, 2022

Conversation

r00tu53r
Copy link
Contributor

What does this PR do?

The PR sets/fixes event.outcome value as per ECS specification.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

elastic-package test pipeline -v -g

Related issues

@r00tu53r r00tu53r requested a review from a team as a code owner April 13, 2022 05:31
@r00tu53r r00tu53r self-assigned this Apr 13, 2022
@r00tu53r r00tu53r added bug Something isn't working, use only for issues Team:Security-External Integrations Integration:auditd Auditd Logs labels Apr 13, 2022
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@elasticmachine
Copy link

elasticmachine commented Apr 13, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-04-13T05:50:47.861+0000

  • Duration: 14 min 46 sec

Test stats 🧪

Test Results
Failed 0
Passed 14
Skipped 0
Total 14

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

efd6
efd6 reviewed Apr 13, 2022
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we know that 0 is always failed and 1 is always success? This post suggests that it is just not valid to have a value that is not success or failed. Given the tone of the post and the author, it probably means that a value that is not one of the valid values is unknown (pondering that 0=false in C, but success in unix and 1 is true and failed).

@r00tu53r
Copy link
Contributor Author

r00tu53r commented Apr 13, 2022
edited
Loading

Do we know that 0 is always failed and 1 is always success? This post suggests that it is just not valid to have a value that is not success or failed. Given the tone of the post and the author, it probably means that a value that is not one of the valid values is unknown (pondering that 0=false in C, but success in unix and 1 is true and failed).

Yes I came upon that link too. It does go by how C treats 0 as false. I confirmed that from the code here and other locations across other functions.

@r00tu53r r00tu53r merged commit f2901e2 into elastic:main Apr 14, 2022
@andrewkroh andrewkroh mentioned this pull request Apr 18, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@r00tu53r r00tu53r

Labels
bug Something isn't working, use only for issues Integration:auditd Auditd Logs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

auditd using invalid field values according to ECS
3 participants
@r00tu53r @elasticmachine @efd6