x-pack/filebeat/input/etw: Rename activity_guid to activity_id in ETW…

… events (#38530) Rename activity_guid to activity_id in generated ETW events to match mapping and other Windows inputs.
elastic · Mar 25, 2024 · fe132da · fe132da
1 parent 8bda9b2
commit fe132da
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 11 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -104,6 +104,7 @@ fields added to events containing the Beats version. {pull}37553[37553]
 - Fix HTTPJSON handling of empty object bodies in POST requests. {issue}33961[33961] {pull}38290[38290]
 - Fix PEM key validation for CEL and HTTPJSON inputs. {pull}38405[38405]
 - Fix filebeat gcs input panic {pull}38407[38407]
+- Rename `activity_guid` to `activity_id` in ETW input events to suit other Windows inputs. {pull}38530[38530]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/docs/inputs/input-etw.asciidoc b/x-pack/filebeat/docs/inputs/input-etw.asciidoc
@@ -99,15 +99,15 @@ Multiple providers example:
   provider.name: Microsoft-Windows-DNSServer
   session_name: DNSServer-Analytical
   trace_level: verbose
-  match_any_keyword: 0xfffffffffffffffff
+  match_any_keyword: 0xffffffffffffffff
   match_all_keyword: 0
 - type: etw
   id: etw-security
   enabled: true
   provider.name: Microsoft-Windows-Security-Auditing
   session_name: Security-Auditing
   trace_level: warning
-  match_any_keyword: 0xffffffffffffffff
+  match_any_keyword: 0xfffffffffffffff
   match_all_keyword: 0
 ----
 
@@ -145,14 +145,14 @@ using the provider ID prefixed by 'Elastic-'.
 ==== `trace_level`
 
 Defines the filtering level for events based on severity. Valid options include
-critical, error, warning, informational, and verbose.
+critical, error, warning, information, and verbose.
 
 [float]
 ==== `match_any_keyword`
 
 An 8-byte bitmask used for filtering events from specific provider subcomponents
 based on keyword matching. Any matching keyword will enable the event to be
-written. Default value is `0xfffffffffffffffff` so it matches every available
+written. Default value is `0xffffffffffffffff` so it matches every available
 keyword.
 
 Run `logman query providers "<provider.name>"` to list the available keywords

diff --git a/x-pack/filebeat/input/etw/config.go b/x-pack/filebeat/input/etw/config.go
@@ -35,7 +35,7 @@ type config struct {
 	SessionName string `config:"session_name"`
 	// TraceLevel filters all provider events with a level value
 	// that is less than or equal to this level.
-	// Allowed values are critical, error, warning, informational, and verbose.
+	// Allowed values are critical, error, warning, information, and verbose.
 	TraceLevel string `config:"trace_level"`
 	// MatchAnyKeyword is an 8-byte bitmask that enables the filtering of
 	// events from specific provider subcomponents. The provider will write

diff --git a/x-pack/filebeat/input/etw/input.go b/x-pack/filebeat/input/etw/input.go
@@ -182,7 +182,7 @@ var (
 // buildEvent builds the final beat.Event emitted by this input.
 func buildEvent(data map[string]any, h etw.EventHeader, session *etw.Session, cfg config) beat.Event {
 	winlog := map[string]any{
-		"activity_guid": h.ActivityId.String(),
+		"activity_id":   h.ActivityId.String(),
 		"channel":       strconv.FormatUint(uint64(h.EventDescriptor.Channel), 10),
 		"event_data":    data,
 		"flags":         strconv.FormatUint(uint64(h.Flags), 10),

diff --git a/x-pack/filebeat/input/etw/input_test.go b/x-pack/filebeat/input/etw/input_test.go
@@ -367,8 +367,8 @@ func Test_buildEvent(t *testing.T) {
 
 			expected: mapstr.M{
 				"winlog": map[string]any{
-					"activity_guid": "{12345678-1234-1234-1234-123456789ABC}",
-					"channel":       "10",
+					"activity_id": "{12345678-1234-1234-1234-123456789ABC}",
+					"channel":     "10",
 					"event_data": map[string]any{
 						"key": "value",
 					},
@@ -435,8 +435,8 @@ func Test_buildEvent(t *testing.T) {
 
 			expected: mapstr.M{
 				"winlog": map[string]any{
-					"activity_guid": "{12345678-1234-1234-1234-123456789ABC}",
-					"channel":       "10",
+					"activity_id": "{12345678-1234-1234-1234-123456789ABC}",
+					"channel":     "10",
 					"event_data": map[string]any{
 						"key": "value",
 					},
@@ -461,7 +461,7 @@ func Test_buildEvent(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			evt := buildEvent(tt.data, tt.header, tt.session, tt.cfg)
-			assert.Equal(t, tt.expected["winlog"].(map[string]any)["activity_guid"], evt.Fields["winlog"].(map[string]any)["activity_guid"])
+			assert.Equal(t, tt.expected["winlog"].(map[string]any)["activity_id"], evt.Fields["winlog"].(map[string]any)["activity_id"])
 			assert.Equal(t, tt.expected["winlog"].(map[string]any)["channel"], evt.Fields["winlog"].(map[string]any)["channel"])
 			assert.Equal(t, tt.expected["winlog"].(map[string]any)["event_data"], evt.Fields["winlog"].(map[string]any)["event_data"])
 			assert.Equal(t, tt.expected["winlog"].(map[string]any)["flags"], evt.Fields["winlog"].(map[string]any)["flags"])