func buildMetricbeatEvent()

in auditbeat/module/file_integrity/event.go [303:433]

• 119 lines of code
• 27 McCabe index (conditional complexity)

func buildMetricbeatEvent(e *Event, existedBefore bool) mb.Event {
	file := mapstr.M{
		"path": e.Path,
	}
	out := mb.Event{
		Timestamp: e.Timestamp,
		Took:      e.rtt,
		MetricSetFields: mapstr.M{
			"file": file,
		},
	}

	if e.TargetPath != "" {
		file["target_path"] = e.TargetPath
	}

	if e.Info != nil {
		info := e.Info
		file["inode"] = strconv.FormatUint(info.Inode, 10)
		file["mtime"] = info.MTime
		file["ctime"] = info.CTime

		if e.Info.Type == FileType {
			if extension := filepath.Ext(e.Path); extension != "" {
				file["extension"] = strings.TrimLeft(extension, ".")
			}
			if mimeType := getMimeType(e.Path); mimeType != "" {
				file["mime_type"] = mimeType
			}
			file["size"] = info.Size
		}

		if info.Type != UnknownType {
			file["type"] = info.Type.String()
		}

		if runtime.GOOS == "windows" {
			if drive := getDriveLetter(e.Path); drive != "" {
				file["drive_letter"] = drive
			}
			if info.SID != "" {
				file["uid"] = info.SID
			}
		} else {
			file["uid"] = strconv.Itoa(int(info.UID))
			file["gid"] = strconv.Itoa(int(info.GID))
			file["mode"] = fmt.Sprintf("%#04o", uint32(info.Mode))
		}

		if info.Owner != "" {
			file["owner"] = info.Owner
		}
		if info.Group != "" {
			file["group"] = info.Group
		}
		if info.SetUID {
			file["setuid"] = true
		}
		if info.SetGID {
			file["setgid"] = true
		}
		if len(info.Origin) > 0 {
			file["origin"] = info.Origin
		}
		if info.SELinux != "" {
			file["selinux"] = info.SELinux
		}
		if len(info.POSIXACLAccess) != 0 {
			a, err := aclText(info.POSIXACLAccess)
			if err == nil {
				file["posix_acl_access"] = a
			}
		}
	}

	if e.Process != nil {
		process := mapstr.M{
			"pid":       e.Process.PID,
			"name":      e.Process.Name,
			"entity_id": e.Process.EntityID,
			"user": mapstr.M{
				"id":   e.Process.User.ID,
				"name": e.Process.User.Name,
			},
			"group": mapstr.M{
				"id":   e.Process.Group.ID,
				"name": e.Process.Group.Name,
			},
		}

		out.MetricSetFields.Put("process", process)
	}

	if e.ContainerID != "" {
		out.MetricSetFields.Put("container.id", e.ContainerID)
	}

	if len(e.Hashes) > 0 {
		hashes := make(mapstr.M, len(e.Hashes))
		for hashType, digest := range e.Hashes {
			hashes[string(hashType)] = digest
		}
		file["hash"] = hashes
	}
	for k, v := range e.ParserResults {
		file[k] = v
	}

	out.MetricSetFields.Put("event.kind", "event")
	out.MetricSetFields.Put("event.category", []string{"file"})
	if e.Action > 0 {
		actions := e.Action.InOrder(existedBefore, e.Info != nil)
		out.MetricSetFields.Put("event.type", actions.ECSTypes())
		out.MetricSetFields.Put("event.action", actions.StringArray())
	} else {
		out.MetricSetFields.Put("event.type", None.ECSTypes())
	}

	if n := len(e.errors); n > 0 {
		errors := make([]string, n)
		for idx, err := range e.errors {
			errors[idx] = err.Error()
		}
		if n == 1 {
			out.MetricSetFields.Put("error.message", errors[0])
		} else {
			out.MetricSetFields.Put("error.message", errors)
		}
	}
	return out
}