Add skeleton x-pack Auditbeat module (#8252)

This adds an skeleton x-pack module to Auditbeat. The module is only included in the Elastic licensed Auditbeat binary.

The config and fields.yml data are not yet included in the packaging. Additional updates are required.

auditbeat/_meta/fields.common.yml

@@ -7,6 +7,10 @@
     description: >
       The name of the module that generated the event.
 
+  - name: event.dataset
+    description: >
+      The name of the module's dataset that generated the event.
+
   - name: event.action
     type: keyword
     example: logged-in

auditbeat/core/eventmod.go

@@ -30,4 +30,10 @@ func AddDatasetToEvent(module, metricSet string, event *mb.Event) {
 	}
 
 	event.RootFields.Put("event.module", module)
+
+	// Modules without "datasets" should set their module and metricset names
+	// to the same value then this will omit the event.dataset field.
+	if module != metricSet {
+		event.RootFields.Put("event.dataset", metricSet)
+	}
 }

auditbeat/docs/fields.asciidoc

@@ -2759,6 +2759,14 @@ Contains common fields available in all event types.
 The name of the module that generated the event.
 
 
+--
+
+*`event.dataset`*::
++
+--
+The name of the module's dataset that generated the event.
+
+
 --
 
 *`event.action`*::

x-pack/auditbeat/cmd/root.go

@@ -4,11 +4,16 @@
 
 package cmd
 
-import "github.com/elastic/beats/auditbeat/cmd"
+import (
+	"github.com/elastic/beats/auditbeat/cmd"
 
-// RootCmd to handle beats cli
+	// Register Auditbeat x-pack modules.
+	_ "github.com/elastic/beats/x-pack/auditbeat/include"
+)
+
+// RootCmd to handle beats CLI.
 var RootCmd = cmd.RootCmd
 
 func init() {
-	// TODO inject x-pack features
+	// TODO: Inject x-pack features.
 }

x-pack/auditbeat/include/list.go

@@ -0,0 +1,11 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package include
+
+import (
+	// Include all Auditbeat modules so that they register their
+	// factories with the global registry.
+	_ "github.com/elastic/beats/x-pack/auditbeat/module/sysinfo/host"
+)

x-pack/auditbeat/module/sysinfo/_meta/config.yml.tmpl

@@ -0,0 +1,15 @@
+{{ if .Reference -}}
+{{ end -}}
+- module: sysinfo
+  {{ if eq .GOOS "darwin" -}}
+  metricsets:
+    - host
+  {{ else if eq .GOOS "windows" -}}
+  metricsets:
+    - host
+  {{ else -}}
+  metricsets:
+    - host
+  {{- end }}
+{{ if .Reference }}
+{{- end }}

x-pack/auditbeat/module/sysinfo/_meta/docs.asciidoc

@@ -0,0 +1,22 @@
+== Sysinfo Module
+
+The `sysinfo` module ... TODO.
+
+The module is implemented for Linux, macOS (Darwin), and Windows.
+
+[float]
+=== How it works
+
+TODO
+
+[float]
+=== Configuration options
+
+TODO
+
+[source,yaml]
+----
+- module: sysinfo
+----
+
+*`some_option`*:: TODO

x-pack/auditbeat/module/sysinfo/_meta/fields.yml

@@ -0,0 +1,4 @@
+- key: sysinfo
+  title: Sysinfo
+  description: These are the fields generated by the sysinfo module.
+  fields:

x-pack/auditbeat/module/sysinfo/host/_meta/docs.asciidoc

@@ -0,0 +1,8 @@
+The Sysinfo `host` metricset provides ... TODO.
+
+The module is implemented for Linux, macOS (Darwin), and Windows.
+
+[float]
+=== Configuration options
+
+TODO

x-pack/auditbeat/module/sysinfo/host/_meta/fields.yml

@@ -0,0 +1,6 @@
+- name: host
+  type: group
+  description: >
+    `host` contains TODO.
+  release: experimental
+  fields:

x-pack/auditbeat/module/sysinfo/host/config.go

@@ -0,0 +1,17 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package host
+
+// Config defines the host metricset's configuration options.
+type Config struct {
+	// TODO: Add config options.
+}
+
+// Validate validates the host metricset config.
+func (c *Config) Validate() error {
+	return nil
+}
+
+var defaultConfig = Config{}

x-pack/auditbeat/module/sysinfo/host/host.go

@@ -0,0 +1,50 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package host
+
+import (
+	"github.com/pkg/errors"
+
+	"github.com/elastic/beats/libbeat/common"
+	"github.com/elastic/beats/libbeat/common/cfgwarn"
+	"github.com/elastic/beats/metricbeat/mb"
+)
+
+const (
+	moduleName    = "sysinfo"
+	metricsetName = "host"
+)
+
+func init() {
+	mb.Registry.MustAddMetricSet(moduleName, metricsetName, New,
+		mb.DefaultMetricSet(),
+	)
+}
+
+// MetricSet collects data about the host.
+type MetricSet struct {
+	mb.BaseMetricSet
+}
+
+// New constructs a new MetricSet.
+func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
+	cfgwarn.Experimental("The %v/%v dataset is experimental", moduleName, metricsetName)
+
+	config := defaultConfig
+	if err := base.Module().UnpackConfig(&config); err != nil {
+		return nil, errors.Wrapf(err, "failed to unpack the %v/%v config", moduleName, metricsetName)
+	}
+
+	return &MetricSet{base}, nil
+}
+
+// Fetch collects data about the host. It is invoked periodically.
+func (ms *MetricSet) Fetch(report mb.ReporterV2) {
+	report.Event(mb.Event{
+		RootFields: common.MapStr{
+			"hello": "world",
+		},
+	})
+}