From 0cfe465bd62d2ff7d4cbd51c4efd071a947c3a0b Mon Sep 17 00:00:00 2001 From: Chris Berkhout Date: Tue, 27 May 2025 15:45:54 +0200 Subject: [PATCH 1/4] Add event.module definition for the events data stream. --- packages/jamf_pro/data_stream/events/fields/base-fields.yml | 3 +++ packages/jamf_pro/docs/README.md | 1 + 2 files changed, 4 insertions(+) diff --git a/packages/jamf_pro/data_stream/events/fields/base-fields.yml b/packages/jamf_pro/data_stream/events/fields/base-fields.yml index b886237fe7a..777ee80b677 100644 --- a/packages/jamf_pro/data_stream/events/fields/base-fields.yml +++ b/packages/jamf_pro/data_stream/events/fields/base-fields.yml @@ -15,3 +15,6 @@ - name: event.dataset type: constant_keyword value: jamf_pro.events +- name: event.module + type: constant_keyword + value: jamf_pro diff --git a/packages/jamf_pro/docs/README.md b/packages/jamf_pro/docs/README.md index 1f07854cc39..ab88b831d07 100644 --- a/packages/jamf_pro/docs/README.md +++ b/packages/jamf_pro/docs/README.md @@ -504,6 +504,7 @@ The following non-ECS fields are used in real-time event documents: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | event.dataset | | constant_keyword | +| event.module | | constant_keyword | | input.type | | keyword | | jamf_pro.events.event.alternate_mac_address | | keyword | | jamf_pro.events.event.asset_tag | | keyword | From 436be9e58c3d65e9ff8c7187cdde10dac2867508 Mon Sep 17 00:00:00 2001 From: Chris Berkhout Date: Tue, 27 May 2025 16:15:15 +0200 Subject: [PATCH 2/4] Update sample events. --- .../data_stream/events/sample_event.json | 21 ++++----- .../data_stream/inventory/sample_event.json | 27 +++++------- packages/jamf_pro/docs/README.md | 44 +++++++++---------- 3 files changed, 44 insertions(+), 48 deletions(-) diff --git a/packages/jamf_pro/data_stream/events/sample_event.json b/packages/jamf_pro/data_stream/events/sample_event.json index af2ef4bb855..6082e20f07d 100644 --- a/packages/jamf_pro/data_stream/events/sample_event.json +++ b/packages/jamf_pro/data_stream/events/sample_event.json @@ -1,29 +1,30 @@ { - "@timestamp": "2024-09-10T16:37:20.274Z", + "@timestamp": "2025-05-27T14:10:23.470Z", "agent": { - "ephemeral_id": "65fb36ce-0e96-4f1f-99fe-5a19a14acfa1", - "id": "920d1c20-a89f-4166-b97e-42186275db28", - "name": "elastic-agent-21773", + "ephemeral_id": "05a484da-a7b8-4044-95c7-faae1b7cffb6", + "id": "15f5630f-b7fd-4c63-b4af-730817ddff2d", + "name": "elastic-agent-32235", "type": "filebeat", - "version": "8.14.3" + "version": "8.13.4" }, "data_stream": { "dataset": "jamf_pro.events", - "namespace": "75060", + "namespace": "11652", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "920d1c20-a89f-4166-b97e-42186275db28", + "id": "15f5630f-b7fd-4c63-b4af-730817ddff2d", "snapshot": false, - "version": "8.14.3" + "version": "8.13.4" }, "event": { + "action": "ComputerAdded", "agent_id_status": "verified", "dataset": "jamf_pro.events", - "ingested": "2024-09-10T16:37:21Z", + "ingested": "2025-05-27T14:10:24Z", "kind": "event", "original": "{\"event\":{\"alternateMacAddress\":\"be:aa:e5:54:94:db\",\"building\":\"1S8NPV\",\"department\":\"XDO4C5\",\"deviceName\":\"VPNYC\",\"emailAddress\":\"kghrqq@email.com\",\"ipAddress\":\"89.160.20.156\",\"jssID\":\"1500747557\",\"macAddress\":\"be:aa:e5:54:94:db\",\"managementId\":\"6319330669\",\"model\":\"LJ68RT\",\"osBuild\":\"26.6913\",\"osVersion\":\"92.5786\",\"phone\":\"2183546\",\"position\":\"B64JIO\",\"realName\":\"CPK79\",\"reportedIpAddress\":\"89.160.20.156\",\"room\":\"HQC6S9\",\"serialNumber\":\"7967177\",\"udid\":\"7265694772\",\"userDirectory_id\":\"0389771137\",\"username\":\"John Doe\"},\"webhook\":{\"eventTimestamp\":1725443872001,\"id\":\"8131946016\",\"name\":\"PU17M\",\"webhookEvent\":\"ComputerAdded\"}}" }, @@ -102,4 +103,4 @@ "email": "kghrqq@email.com", "name": "John Doe" } -} \ No newline at end of file +} diff --git a/packages/jamf_pro/data_stream/inventory/sample_event.json b/packages/jamf_pro/data_stream/inventory/sample_event.json index b927fd20fb1..82e318ad533 100644 --- a/packages/jamf_pro/data_stream/inventory/sample_event.json +++ b/packages/jamf_pro/data_stream/inventory/sample_event.json @@ -1,29 +1,29 @@ { - "@timestamp": "2024-09-10T16:38:08.084Z", + "@timestamp": "2025-05-27T14:11:07.015Z", "agent": { - "ephemeral_id": "032b2039-1b4d-4eae-b52c-d08936b47ca5", - "id": "ba358bea-2bfe-4de2-9315-576d52fe94fc", - "name": "elastic-agent-46649", + "ephemeral_id": "dab976fe-f898-4ec6-92c6-84b21b4c379a", + "id": "16c644f3-4469-4b8d-8ed7-20ccd22185f5", + "name": "elastic-agent-58306", "type": "filebeat", - "version": "8.14.3" + "version": "8.13.4" }, "data_stream": { "dataset": "jamf_pro.inventory", - "namespace": "72595", + "namespace": "42032", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "ba358bea-2bfe-4de2-9315-576d52fe94fc", + "id": "16c644f3-4469-4b8d-8ed7-20ccd22185f5", "snapshot": false, - "version": "8.14.3" + "version": "8.13.4" }, "event": { "agent_id_status": "verified", "dataset": "jamf_pro.inventory", - "ingested": "2024-09-10T16:38:11Z", + "ingested": "2025-05-27T14:11:10Z", "kind": "asset" }, "host": { @@ -59,7 +59,7 @@ "remote_management": { "managed": true }, - "report_date": "2024-06-19T15:54:37.692Z", + "report_date": "2024-06-19T15:54:37.68Z", "site": { "id": "-1", "name": "None" @@ -68,7 +68,7 @@ "user_approved_mdm": false }, "id": "3", - "udid": "5982CE36-4526-580B-B4B9-ECC6782535BC" + "udid": "5982CE36-4526-580B-B4B9-ECC6782535BB" } }, "os": { @@ -77,12 +77,9 @@ "related": { "ip": [ "10.122.26.87" - ], - "user": [ - "" ] }, "tags": [ "forwarded" ] -} \ No newline at end of file +} diff --git a/packages/jamf_pro/docs/README.md b/packages/jamf_pro/docs/README.md index ab88b831d07..84abbe7c193 100644 --- a/packages/jamf_pro/docs/README.md +++ b/packages/jamf_pro/docs/README.md @@ -104,31 +104,31 @@ An example event for `inventory` looks as following: ```json { - "@timestamp": "2024-09-10T16:38:08.084Z", + "@timestamp": "2025-05-27T14:11:07.015Z", "agent": { - "ephemeral_id": "032b2039-1b4d-4eae-b52c-d08936b47ca5", - "id": "ba358bea-2bfe-4de2-9315-576d52fe94fc", - "name": "elastic-agent-46649", + "ephemeral_id": "dab976fe-f898-4ec6-92c6-84b21b4c379a", + "id": "16c644f3-4469-4b8d-8ed7-20ccd22185f5", + "name": "elastic-agent-58306", "type": "filebeat", - "version": "8.14.3" + "version": "8.13.4" }, "data_stream": { "dataset": "jamf_pro.inventory", - "namespace": "72595", + "namespace": "42032", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "ba358bea-2bfe-4de2-9315-576d52fe94fc", + "id": "16c644f3-4469-4b8d-8ed7-20ccd22185f5", "snapshot": false, - "version": "8.14.3" + "version": "8.13.4" }, "event": { "agent_id_status": "verified", "dataset": "jamf_pro.inventory", - "ingested": "2024-09-10T16:38:11Z", + "ingested": "2025-05-27T14:11:10Z", "kind": "asset" }, "host": { @@ -164,7 +164,7 @@ An example event for `inventory` looks as following: "remote_management": { "managed": true }, - "report_date": "2024-06-19T15:54:37.692Z", + "report_date": "2024-06-19T15:54:37.68Z", "site": { "id": "-1", "name": "None" @@ -173,7 +173,7 @@ An example event for `inventory` looks as following: "user_approved_mdm": false }, "id": "3", - "udid": "5982CE36-4526-580B-B4B9-ECC6782535BC" + "udid": "5982CE36-4526-580B-B4B9-ECC6782535BB" } }, "os": { @@ -182,9 +182,6 @@ An example event for `inventory` looks as following: "related": { "ip": [ "10.122.26.87" - ], - "user": [ - "" ] }, "tags": [ @@ -387,31 +384,32 @@ An example event for `events` looks as following: ```json { - "@timestamp": "2024-09-10T16:37:20.274Z", + "@timestamp": "2025-05-27T14:10:23.470Z", "agent": { - "ephemeral_id": "65fb36ce-0e96-4f1f-99fe-5a19a14acfa1", - "id": "920d1c20-a89f-4166-b97e-42186275db28", - "name": "elastic-agent-21773", + "ephemeral_id": "05a484da-a7b8-4044-95c7-faae1b7cffb6", + "id": "15f5630f-b7fd-4c63-b4af-730817ddff2d", + "name": "elastic-agent-32235", "type": "filebeat", - "version": "8.14.3" + "version": "8.13.4" }, "data_stream": { "dataset": "jamf_pro.events", - "namespace": "75060", + "namespace": "11652", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "920d1c20-a89f-4166-b97e-42186275db28", + "id": "15f5630f-b7fd-4c63-b4af-730817ddff2d", "snapshot": false, - "version": "8.14.3" + "version": "8.13.4" }, "event": { + "action": "ComputerAdded", "agent_id_status": "verified", "dataset": "jamf_pro.events", - "ingested": "2024-09-10T16:37:21Z", + "ingested": "2025-05-27T14:10:24Z", "kind": "event", "original": "{\"event\":{\"alternateMacAddress\":\"be:aa:e5:54:94:db\",\"building\":\"1S8NPV\",\"department\":\"XDO4C5\",\"deviceName\":\"VPNYC\",\"emailAddress\":\"kghrqq@email.com\",\"ipAddress\":\"89.160.20.156\",\"jssID\":\"1500747557\",\"macAddress\":\"be:aa:e5:54:94:db\",\"managementId\":\"6319330669\",\"model\":\"LJ68RT\",\"osBuild\":\"26.6913\",\"osVersion\":\"92.5786\",\"phone\":\"2183546\",\"position\":\"B64JIO\",\"realName\":\"CPK79\",\"reportedIpAddress\":\"89.160.20.156\",\"room\":\"HQC6S9\",\"serialNumber\":\"7967177\",\"udid\":\"7265694772\",\"userDirectory_id\":\"0389771137\",\"username\":\"John Doe\"},\"webhook\":{\"eventTimestamp\":1725443872001,\"id\":\"8131946016\",\"name\":\"PU17M\",\"webhookEvent\":\"ComputerAdded\"}}" }, From 420e9723b9665fe950bdeb338af2c003cca924b9 Mon Sep 17 00:00:00 2001 From: Chris Berkhout Date: Tue, 27 May 2025 17:34:05 +0200 Subject: [PATCH 3/4] Version bump, changelog entry. --- packages/jamf_pro/changelog.yml | 5 +++++ packages/jamf_pro/manifest.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/jamf_pro/changelog.yml b/packages/jamf_pro/changelog.yml index 86fc6369d9a..0e957d81841 100644 --- a/packages/jamf_pro/changelog.yml +++ b/packages/jamf_pro/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.5.3" + changes: + - description: Add `event.module` definition for the `events` data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/14017 - version: "0.5.2" changes: - description: Fix `flattened` field types for non-object values. diff --git a/packages/jamf_pro/manifest.yml b/packages/jamf_pro/manifest.yml index 2d136e516dc..9abf6a9b3ed 100644 --- a/packages/jamf_pro/manifest.yml +++ b/packages/jamf_pro/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.5 name: jamf_pro title: "Jamf Pro" -version: "0.5.2" +version: "0.5.3" source: license: "Elastic-2.0" description: "Collect logs and inventory data from Jamf Pro with Elastic Agent" From cee15e8a920625edbe6d28a10dbac807a44f1fbb Mon Sep 17 00:00:00 2001 From: Chris Berkhout Date: Wed, 28 May 2025 10:35:22 +0200 Subject: [PATCH 4/4] Add ecs ref to get description. --- .../jamf_pro/data_stream/events/fields/base-fields.yml | 2 ++ .../jamf_pro/data_stream/inventory/fields/base-fields.yml | 2 ++ packages/jamf_pro/docs/README.md | 8 ++++---- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/packages/jamf_pro/data_stream/events/fields/base-fields.yml b/packages/jamf_pro/data_stream/events/fields/base-fields.yml index 777ee80b677..8fe52b213b5 100644 --- a/packages/jamf_pro/data_stream/events/fields/base-fields.yml +++ b/packages/jamf_pro/data_stream/events/fields/base-fields.yml @@ -15,6 +15,8 @@ - name: event.dataset type: constant_keyword value: jamf_pro.events + external: ecs - name: event.module type: constant_keyword value: jamf_pro + external: ecs diff --git a/packages/jamf_pro/data_stream/inventory/fields/base-fields.yml b/packages/jamf_pro/data_stream/inventory/fields/base-fields.yml index edaa725908a..28e7e54cd07 100644 --- a/packages/jamf_pro/data_stream/inventory/fields/base-fields.yml +++ b/packages/jamf_pro/data_stream/inventory/fields/base-fields.yml @@ -16,6 +16,8 @@ - name: event.dataset type: constant_keyword value: jamf_pro.inventory + external: ecs - name: event.module type: constant_keyword value: jamf_pro + external: ecs diff --git a/packages/jamf_pro/docs/README.md b/packages/jamf_pro/docs/README.md index 84abbe7c193..523c023214b 100644 --- a/packages/jamf_pro/docs/README.md +++ b/packages/jamf_pro/docs/README.md @@ -200,8 +200,8 @@ The following non-ECS fields are used in inventory documents: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| event.dataset | | constant_keyword | -| event.module | | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | | input.type | Input type | keyword | | jamf_pro.inventory.applications.bundle_id | | keyword | | jamf_pro.inventory.applications.external_version_id | | keyword | @@ -501,8 +501,8 @@ The following non-ECS fields are used in real-time event documents: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| event.dataset | | constant_keyword | -| event.module | | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | | input.type | | keyword | | jamf_pro.events.event.alternate_mac_address | | keyword | | jamf_pro.events.event.asset_tag | | keyword |