Skip to content

Add ecs.version to the audit log ECS documents#5584

Merged
ramonsmits merged 1 commit into
masterfrom
audit-log-ecs-version
Jul 8, 2026
Merged

Add ecs.version to the audit log ECS documents#5584
ramonsmits merged 1 commit into
masterfrom
audit-log-ecs-version

Conversation

@ramonsmits

@ramonsmits ramonsmits commented Jul 8, 2026

Copy link
Copy Markdown
Member

Fixes #5590

The authorization and message-action audit documents omitted the ecs.version field. ECS-consuming pipelines (Elasticsearch's built-in logs-*-* index template, Elastic Security, other SIEMs) use ecs.version to select the matching field mappings, so a conformant document should declare it. Both streams now emit "ecs": { "version": "8.11.0" }.

The authorization and message-action audit documents omitted the
ecs.version field. ECS-consuming pipelines (Elasticsearch's built-in
logs-*-* index template, Elastic Security, other SIEMs) use ecs.version
to select the matching field mappings, so a conformant document should
declare it. Both streams now emit "ecs": { "version": "8.11.0" } — the
latest ECS schema release, whose event.category/type/outcome and user.*
fields are what these documents already use.

Additive, non-breaking output change. First shipped in 6.18.0 without the
field, so this targets the next patch (6.18.1) or minor (6.19.0).

ECS version field: https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html
event.type allowed values (allowed/denied/change/deletion):
https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-type.html
ECS releases: https://github.com/elastic/ecs/releases
@ramonsmits ramonsmits marked this pull request as ready for review July 8, 2026 14:06
@ramonsmits ramonsmits merged commit 450a75c into master Jul 8, 2026
33 checks passed
@ramonsmits ramonsmits deleted the audit-log-ecs-version branch July 8, 2026 14:07
@ramonsmits ramonsmits added this to the 6.19.0 milestone Jul 8, 2026
@WilliamBZA WilliamBZA removed this from the 6.19.0 milestone Jul 9, 2026
WilliamBZA pushed a commit that referenced this pull request Jul 9, 2026
The authorization and message-action audit documents omitted the
ecs.version field. ECS-consuming pipelines (Elasticsearch's built-in
logs-*-* index template, Elastic Security, other SIEMs) use ecs.version
to select the matching field mappings, so a conformant document should
declare it. Both streams now emit "ecs": { "version": "8.11.0" } — the
latest ECS schema release, whose event.category/type/outcome and user.*
fields are what these documents already use.

Additive, non-breaking output change. First shipped in 6.18.0 without the
field, so this targets the next patch (6.18.1) or minor (6.19.0).

ECS version field: https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html
event.type allowed values (allowed/denied/change/deletion):
https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-type.html
ECS releases: https://github.com/elastic/ecs/releases
WilliamBZA added a commit that referenced this pull request Jul 9, 2026
* Add improvements to authorization settings

* Add ecs.version to the audit log ECS documents (#5584)

The authorization and message-action audit documents omitted the
ecs.version field. ECS-consuming pipelines (Elasticsearch's built-in
logs-*-* index template, Elastic Security, other SIEMs) use ecs.version
to select the matching field mappings, so a conformant document should
declare it. Both streams now emit "ecs": { "version": "8.11.0" } — the
latest ECS schema release, whose event.category/type/outcome and user.*
fields are what these documents already use.

Additive, non-breaking output change. First shipped in 6.18.0 without the
field, so this targets the next patch (6.18.1) or minor (6.19.0).

ECS version field: https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html
event.type allowed values (allowed/denied/change/deletion):
https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-type.html
ECS releases: https://github.com/elastic/ecs/releases

* Add user.roles to the authorization audit log (#5583)

Add user.roles to the authorization audit log

Emit the roles the principal held as the ECS user.roles array on each
authorization decision, so SIEMs can facet and alert on roles instead of
parsing them out of the free-text reason. Omitted when the principal has
no roles.

* Add improvements to authorization settings (#5588)

---------

Co-authored-by: Ramon Smits <ramon.smits@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

User roles are not emitted to the authorization audit log

2 participants