Rename source.hostname to source.domain

CHANGELOG.asciidoc

@@ -19,6 +19,7 @@ https://github.com/elastic/beats/compare/v6.4.0...master[Check the HEAD diff]
 
 - Use `initial_scan` action for new paths. {pull}7954[7954]
 - Rename beat.name to agent.type, beat.hostname to agent.hostname, beat.version to agent.version.
+- Rename `source.hostname` to `source.domain` in the auditd module. {pull}NNNN[NNNN]
 
 *Filebeat*
 

auditbeat/docs/breaking.asciidoc

@@ -1,4 +1,15 @@
 [[auditbeat-breaking-changes]]
+== Breaking changes in 7.0
+
+In version 7.0 the following fields were renamed.
+
+.Renamed Fields in 7.0
+[frame="topbot",options="header"]
+|======================
+|Old Field|New Field
+|`source.hostname`        |`source.domain`
+|======================
+
 == Breaking changes in 6.2
 
 As a general rule, we strive to keep backwards compatibility between minor
@@ -97,7 +108,7 @@ In Kibana you need to <<load-kibana-dashboards,import>> the latest dashboards
 that work with the new event format. The new dashboards will not work with data
 produced by older versions of Auditbeat.
 
-.Renamed Fields
+.Renamed Fields in 6.2
 [frame="topbot",options="header"]
 |======================
 |Old Field|New Field

auditbeat/docs/fields.asciidoc

@@ -282,15 +282,6 @@ The current working directory.
 Source that triggered the event.
 
 
-*`source.hostname`*::
-+
---
-type: keyword
-
-Hostname of the source.
-
---
-
 *`source.path`*::
 +
 --

auditbeat/module/auditd/_meta/data.json

@@ -1,5 +1,9 @@
 {
     "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
     "auditd": {
         "data": {
             "acct": "(invalid user)",
@@ -22,10 +26,6 @@
             }
         }
     },
-    "beat": {
-        "hostname": "host.example.com",
-        "name": "host.example.com"
-    },
     "event": {
         "action": "logged-in",
         "category": "user-login",

auditbeat/module/auditd/_meta/fields.yml

@@ -103,9 +103,6 @@
     type: group
     description: Source that triggered the event.
     fields:
-    - name: hostname
-      type: keyword
-      description: Hostname of the source.
     - name: path
       type: keyword
       description: This is the path associated with a unix socket.

auditbeat/module/auditd/audit_linux.go

@@ -622,7 +622,7 @@ func addAddress(addr *aucoalesce.Address, key string, m common.MapStr) {
 	address := common.MapStr{}
 	m.Put(key, address)
 	if addr.Hostname != "" {
-		address["hostname"] = addr.Hostname
+		address["domain"] = addr.Hostname
 	}
 	if addr.IP != "" {
 		address["ip"] = addr.IP

auditbeat/module/file_integrity/_meta/data.json

@@ -1,6 +1,6 @@
 {
     "@timestamp": "2017-10-12T08:05:34.853Z",
-    "beat": {
+    "agent": {
         "hostname": "host.example.com",
         "name": "host.example.com"
     },

dev-tools/ecs-migration.yml

@@ -84,3 +84,9 @@
   to: source.geo.region_iso_code
   alias: true
   copy_to: false
+
+# From Auditbeat's auditd module.
+- from: source.hostname
+  to: source.domain
+  alias: true
+  copy_to: false

metricbeat/mb/testing/data_generator.go

@@ -148,7 +148,7 @@ func StandardizeEvent(ms mb.MetricSet, e mb.Event, modifiers ...mb.EventModifier
 
 	fullEvent := e.BeatEvent(ms.Module().Name(), ms.Name(), modifiers...)
 
-	fullEvent.Fields["beat"] = common.MapStr{
+	fullEvent.Fields["agent"] = common.MapStr{
 		"name":     "host.example.com",
 		"hostname": "host.example.com",
 	}