fix mapping error for cloudtrail additonalEventData field (#16088) (#…

…16098) (cherry picked from commit 03d62cc)
elastic · Feb 18, 2020 · d0f02c0 · d0f02c0
1 parent 783999a
commit d0f02c0
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 3 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -44,8 +44,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 
 *Filebeat*
-
 - Fix a connection error in httpjson input. {pull}16123[16123]
+- Fix mapping error for cloudtrail additionalEventData field {pull}16088[16088]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml
@@ -108,8 +108,8 @@ processors:
   - script:
       lang: painless
       source: |
-        if (ctx.json.additionalEventdata != null) {
-          ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventdata.toString();
+        if (ctx.json.additionalEventData != null) {
+          ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventData.toString();
         }
       ignore_failure: true
   - rename:

diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json
@@ -1,6 +1,7 @@
 [
     {
         "@timestamp": "2014-07-16T15:49:27.000Z",
+        "aws.cloudtrail.additional_eventdata": "{LoginTo=https://console.aws.amazon.com/s3/, MobileVersion=No, MFAUsed=No}",
         "aws.cloudtrail.event_version": "1.05",
         "aws.cloudtrail.response_elements": "{ConsoleLogin=Success}",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::111122223333:user/JohnDoe",
@@ -34,6 +35,7 @@
     },
     {
         "@timestamp": "2014-07-08T17:35:27.000Z",
+        "aws.cloudtrail.additional_eventdata": "{LoginTo=https://console.aws.amazon.com/sns, MobileVersion=No, MFAUsed=No}",
         "aws.cloudtrail.error_message": "Failed authentication",
         "aws.cloudtrail.event_version": "1.05",
         "aws.cloudtrail.response_elements": "{ConsoleLogin=Failure}",