Add related.user and related.ip

elastic · May 5, 2020 · 2135405 · 2135405
1 parent ef57caf
commit 2135405
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/x-pack/auditbeat/module/system/login/login.go b/x-pack/auditbeat/module/system/login/login.go
@@ -178,7 +178,7 @@ func (ms *MetricSet) loginEvent(loginRecord *LoginRecord) mb.Event {
 
 	if loginRecord.Username != "" {
 		event.RootFields.Put("user.name", loginRecord.Username)
-
+		event.RootFields.Put("related.user", []string{loginRecord.Username})
 		if loginRecord.UID != -1 {
 			event.RootFields.Put("user.id", loginRecord.UID)
 		}
@@ -194,6 +194,7 @@ func (ms *MetricSet) loginEvent(loginRecord *LoginRecord) mb.Event {
 
 	if loginRecord.IP != nil {
 		event.RootFields.Put("source.ip", loginRecord.IP)
+		event.RootFields.Put("related.ip", []string{loginRecord.IP.String()})
 	}
 
 	if loginRecord.Hostname != "" && loginRecord.Hostname != loginRecord.IP.String() {

diff --git a/x-pack/auditbeat/module/system/login/login_test.go b/x-pack/auditbeat/module/system/login/login_test.go
@@ -128,7 +128,9 @@ func TestWtmp(t *testing.T) {
 	checkFieldValue(t, events[0].RootFields, "event.action", "user_logout")
 	checkFieldValue(t, events[0].RootFields, "process.pid", 14962)
 	checkFieldValue(t, events[0].RootFields, "source.ip", "10.0.2.2")
+	checkFieldValue(t, events[0].RootFields, "related.ip", []string{"10.0.2.2"})
 	checkFieldValue(t, events[0].RootFields, "user.name", "vagrant")
+	checkFieldValue(t, events[0].RootFields, "related.user", []string{"vagrant"})
 	checkFieldValue(t, events[0].RootFields, "user.terminal", "pts/2")
 }