From f9af36d091cb1241283ecc8e027016254b3386ad Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Tue, 29 Sep 2020 13:00:18 -0500 Subject: [PATCH 1/2] Move winlogbeat processor to libbeat - needed for filebeat winlog input - changed name to windows - also register as winlogbeat for backwards compatibility --- libbeat/processors/script/javascript/module/include.go | 1 + .../processors/script/javascript/module/windows}/doc.go | 2 +- .../processors/script/javascript/module/windows/windows.go | 4 +++- .../script/javascript/module/windows/windows_test.go | 2 +- winlogbeat/cmd/root.go | 1 - .../module/powershell/config/winlogbeat-powershell.js | 4 ++-- .../winlogbeat/module/security/config/winlogbeat-security.js | 4 ++-- x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js | 4 ++-- x-pack/winlogbeat/module/testing_windows.go | 1 - 9 files changed, 12 insertions(+), 11 deletions(-) rename {winlogbeat/processors/script/javascript/module/winlogbeat => libbeat/processors/script/javascript/module/windows}/doc.go (98%) rename winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go => libbeat/processors/script/javascript/module/windows/windows.go (94%) rename winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go => libbeat/processors/script/javascript/module/windows/windows_test.go (99%) diff --git a/libbeat/processors/script/javascript/module/include.go b/libbeat/processors/script/javascript/module/include.go index f30e423e7a2..b498dc90e21 100644 --- a/libbeat/processors/script/javascript/module/include.go +++ b/libbeat/processors/script/javascript/module/include.go @@ -24,4 +24,5 @@ import ( _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/path" _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/processor" _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/require" + _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/windows" ) diff --git a/winlogbeat/processors/script/javascript/module/winlogbeat/doc.go b/libbeat/processors/script/javascript/module/windows/doc.go similarity index 98% rename from winlogbeat/processors/script/javascript/module/winlogbeat/doc.go rename to libbeat/processors/script/javascript/module/windows/doc.go index fc782636d09..7046000a729 100644 --- a/winlogbeat/processors/script/javascript/module/winlogbeat/doc.go +++ b/libbeat/processors/script/javascript/module/windows/doc.go @@ -18,4 +18,4 @@ // Package winlogbeat registers the winlogbeat module with the javascript script // processor. The module has utilities specific to Winlogbeat like parsing // Windows command lines. -package winlogbeat +package windows diff --git a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go b/libbeat/processors/script/javascript/module/windows/windows.go similarity index 94% rename from winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go rename to libbeat/processors/script/javascript/module/windows/windows.go index dc9439c5c67..7070471a569 100644 --- a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go +++ b/libbeat/processors/script/javascript/module/windows/windows.go @@ -17,7 +17,7 @@ // +build windows -package winlogbeat +package windows import ( "syscall" @@ -74,9 +74,11 @@ func Require(vm *goja.Runtime, module *goja.Object) { // Enable adds path to the given runtime. func Enable(runtime *goja.Runtime) { + runtime.Set("windows", require.Require(runtime, "windows")) runtime.Set("winlogbeat", require.Require(runtime, "winlogbeat")) } func init() { + require.RegisterNativeModule("windows", Require) require.RegisterNativeModule("winlogbeat", Require) } diff --git a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go b/libbeat/processors/script/javascript/module/windows/windows_test.go similarity index 99% rename from winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go rename to libbeat/processors/script/javascript/module/windows/windows_test.go index 45c339cc1f2..be213a79ba8 100644 --- a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go +++ b/libbeat/processors/script/javascript/module/windows/windows_test.go @@ -17,7 +17,7 @@ // +build windows -package winlogbeat +package windows import ( "testing" diff --git a/winlogbeat/cmd/root.go b/winlogbeat/cmd/root.go index 7e25e717813..2cd26a9fe8e 100644 --- a/winlogbeat/cmd/root.go +++ b/winlogbeat/cmd/root.go @@ -30,7 +30,6 @@ import ( // Import processors and supporting modules. _ "github.com/elastic/beats/v7/libbeat/processors/script" _ "github.com/elastic/beats/v7/libbeat/processors/timestamp" - _ "github.com/elastic/beats/v7/winlogbeat/processors/script/javascript/module/winlogbeat" ) const ( diff --git a/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js index 71ce567ccc7..4ef1155086b 100644 --- a/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js +++ b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js @@ -5,7 +5,7 @@ var powershell = (function () { var path = require("path"); var processor = require("processor"); - var winlogbeat = require("winlogbeat"); + var windows = require("windows"); var normalizeCommonFieldNames = new processor.Convert({ fields: [ @@ -183,7 +183,7 @@ var powershell = (function () { if (!commandLine) { return; } - evt.Put(target, winlogbeat.splitCommandLine(commandLine)); + evt.Put(target, windows.splitCommandLine(commandLine)); }; var addProcessArgs = function (evt) { diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index 9a0899165b9..5a8e91b677b 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -5,7 +5,7 @@ var security = (function () { var path = require("path"); var processor = require("processor"); - var winlogbeat = require("winlogbeat"); + var windows = require("windows"); // Logon Types // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events @@ -1670,7 +1670,7 @@ var security = (function () { if (!cl) { return; } - evt.Put("process.args", winlogbeat.splitCommandLine(cl)); + evt.Put("process.args", windows.splitCommandLine(cl)); evt.Put("process.command_line", cl); }) .Build(); diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index 5fcedb9e40e..5b09c98fc32 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -15,7 +15,7 @@ if (!String.prototype.startsWith) { var sysmon = (function () { var path = require("path"); var processor = require("processor"); - var winlogbeat = require("winlogbeat"); + var windows = require("windows"); var net = require("net"); // Windows error codes for DNS. This list was generated using @@ -311,7 +311,7 @@ var sysmon = (function () { if (!commandLine) { return; } - evt.Put(target, winlogbeat.splitCommandLine(commandLine)); + evt.Put(target, windows.splitCommandLine(commandLine)); }; var splitProcessArgs = function (evt) { diff --git a/x-pack/winlogbeat/module/testing_windows.go b/x-pack/winlogbeat/module/testing_windows.go index 12b2102070f..058e2320a9d 100644 --- a/x-pack/winlogbeat/module/testing_windows.go +++ b/x-pack/winlogbeat/module/testing_windows.go @@ -28,7 +28,6 @@ import ( // Register javascript modules. _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module" - _ "github.com/elastic/beats/v7/winlogbeat/processors/script/javascript/module/winlogbeat" ) var update = flag.Bool("update", false, "update golden files") From 072ec9fe46a4227e9b14af89a6ab597509cdd238 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Wed, 30 Sep 2020 10:32:23 -0500 Subject: [PATCH 2/2] Fix documentation --- libbeat/processors/script/javascript/module/windows/doc.go | 4 ++-- .../processors/script/javascript/module/windows/windows.go | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libbeat/processors/script/javascript/module/windows/doc.go b/libbeat/processors/script/javascript/module/windows/doc.go index 7046000a729..bca46a94340 100644 --- a/libbeat/processors/script/javascript/module/windows/doc.go +++ b/libbeat/processors/script/javascript/module/windows/doc.go @@ -15,7 +15,7 @@ // specific language governing permissions and limitations // under the License. -// Package winlogbeat registers the winlogbeat module with the javascript script -// processor. The module has utilities specific to Winlogbeat like parsing +// Package windows registers the windows module with the javascript script +// processor. The module has utilities specific to Windows like parsing // Windows command lines. package windows diff --git a/libbeat/processors/script/javascript/module/windows/windows.go b/libbeat/processors/script/javascript/module/windows/windows.go index 7070471a569..2bbe7817fad 100644 --- a/libbeat/processors/script/javascript/module/windows/windows.go +++ b/libbeat/processors/script/javascript/module/windows/windows.go @@ -60,11 +60,11 @@ func commandLineToArgvW(in string) ([]string, error) { return args, nil } -// Require registers the winlogbeat module that has utilities specific to -// Winlogbeat like parsing Windows command lines. It can be accessed using: +// Require registers the windows module that has utilities specific to +// Windows like parsing Windows command lines. It can be accessed using: // // // javascript -// var winlogbeat = require('winlogbeat'); +// var windows = require('windows'); // func Require(vm *goja.Runtime, module *goja.Object) { o := module.Get("exports").(*goja.Object)