Change event.type to auditd.message_type (#10536)

`event.type` is a reserved field in ECS so move the current field to `auditd.message_type`.

Author: andrewkroh

CHANGELOG.next.asciidoc

@@ -40,6 +40,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
   FIM module. {pull}10195[10195]
 - Field `file.origin` changed type from `text` to `keyword`. {pull}10544[10544]
 - Rename user fields to ECS in auditd module. {pull}10456[10456]
+- Rename `event.type` to `auditd.message_type` in auditd module because event.type is reserved for future use by ECS. {pull}10536[10536]
 
 *Filebeat*
 

auditbeat/docs/breaking.asciidoc

@@ -7,6 +7,7 @@ In version 7.0 the following fields were renamed.
 [frame="topbot",options="header"]
 |======================
 |Old Field|New Field
+|`event.type`             |`auditd.message_type`
 |`process.cwd`            |`process.working_directory`
 |`source.hostname`        |`source.domain`
 |`user.auid`              |`user.audit.id`

auditbeat/docs/fields.asciidoc

@@ -302,6 +302,18 @@ This is the path associated with a unix socket.
 --
 
 
+*`auditd.message_type`*::
++
+--
+type: keyword
+
+example: syscall
+
+The audit message type (e.g. syscall or apparmor_denied).
+
+
+--
+
 *`auditd.sequence`*::
 +
 --

auditbeat/module/auditd/_meta/accept.json

@@ -15,6 +15,7 @@
             "syscall": "accept",
             "tty": "(none)"
         },
+        "message_type": "syscall",
         "result": "success",
         "sequence": 8832,
         "session": "unset",
@@ -34,8 +35,7 @@
     "event": {
         "action": "accepted-connection-from",
         "category": "audit-rule",
-        "module": "auditd",
-        "type": "syscall"
+        "module": "auditd"
     },
     "network": {
         "direction": "incoming"

auditbeat/module/auditd/_meta/data.json

@@ -10,6 +10,7 @@
             "op": "login",
             "terminal": "sshd"
         },
+        "message_type": "user_login",
         "result": "fail",
         "sequence": 19955,
         "session": "unset",
@@ -29,8 +30,7 @@
     "event": {
         "action": "logged-in",
         "category": "user-login",
-        "module": "auditd",
-        "type": "user_login"
+        "module": "auditd"
     },
     "network": {
         "direction": "incoming"

auditbeat/module/auditd/_meta/execve.json

@@ -11,6 +11,7 @@
             "syscall": "execve",
             "tty": "pts0"
         },
+        "message_type": "syscall",
         "paths": [
             {
                 "dev": "08:01",
@@ -53,8 +54,7 @@
     "event": {
         "action": "executed",
         "category": "audit-rule",
-        "module": "auditd",
-        "type": "syscall"
+        "module": "auditd"
     },
     "file": {
         "device": "00:00",

auditbeat/module/auditd/_meta/fields.yml

@@ -135,6 +135,11 @@
   - name: auditd
     type: group
     fields:
+    - name: message_type
+      type: keyword
+      example: syscall
+      description: >
+        The audit message type (e.g. syscall or apparmor_denied).
     - name: sequence
       type: long
       description: >

auditbeat/module/auditd/audit_linux.go

@@ -472,15 +472,15 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event
 		RootFields: common.MapStr{
 			"event": common.MapStr{
 				"category": auditEvent.Category.String(),
-				"type":     strings.ToLower(auditEvent.Type.String()),
 				"action":   auditEvent.Summary.Action,
 			},
 		},
 		ModuleFields: common.MapStr{
-			"sequence": auditEvent.Sequence,
-			"result":   auditEvent.Result,
-			"session":  auditEvent.Session,
-			"data":     createAuditdData(auditEvent.Data),
+			"message_type": strings.ToLower(auditEvent.Type.String()),
+			"sequence":     auditEvent.Sequence,
+			"result":       auditEvent.Result,
+			"session":      auditEvent.Session,
+			"data":         createAuditdData(auditEvent.Data),
 		},
 	}
 

auditbeat/module/auditd/fields.go

@@ -1613,6 +1613,12 @@
   alias: true
   beat: auditbeat
 
+- from: event.type
+  to: auditd.message_type
+  alias: false
+  beat: auditbeat
+  comment: event.type is reserved for future use by ECS.
+
 # Metricbeat
 
 ## Metricbeat base fields