Merge remote-tracking branch 'upstream/master' into update_lambda

.ci/packaging.groovy

@@ -321,10 +321,12 @@ def tagAndPush(Map args = [:]) {
   }
   // supported image flavours
   def variants = ["", "-oss", "-ubi8"]
-  //
+
   if(beatName == 'elastic-agent'){
       variants.add("-complete")
+      variants.add("-cloud")
   }
+
   variants.each { variant ->
     tags.each { tag ->
       // TODO:

CHANGELOG.next.asciidoc

@@ -306,6 +306,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Update indentation for azure filebeat configuration. {pull}26604[26604]
 - Update Sophos xg module pipeline to deal with missing `date` and `time` fields. {pull}27834[27834]
 - sophos/xg fileset: Add missing pipeline for System Health logs. {pull}27827[27827] {issue}27826[27826]
+- Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191]
 
 *Heartbeat*
 
@@ -422,6 +423,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add source.ip validation for event ID 4778 in the Security module. {issue}19627[19627]
 - Protect against accessing undefined variables in Sysmon module. {issue}22219[22219] {pull}22236[22236]
 - Protect against accessing an undefined variable in Security module. {pull}22937[22937]
+- Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191]
 
 *Functionbeat*
 
@@ -513,6 +515,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Update ECS to 1.12.0. {pull}27770[27770]
 - Fields mapped as `match_only_text` will automatically fallback to a `text` mapping when using Elasticsearch versions that do not support `match_only_text`. {pull}27770[27770]
 - Update cloud.google.com/go library. {pull}28229[28229]
+- Upgrade k8s.io/client-go library. {pull}28228[28228]
 
 *Auditbeat*
 

Jenkinsfile

@@ -459,9 +459,9 @@ def tagAndPush(Map args = [:]) {
   // supported image flavours
   def variants = ["", "-oss", "-ubi8"]
 
-  // only add complete variant for the elastic-agent
   if(beatName == 'elastic-agent'){
       variants.add("-complete")
+      variants.add("-cloud")
   }
 
   variants.each { variant ->

auditbeat/auditbeat.reference.yml

@@ -479,7 +479,7 @@ output.elasticsearch:
   # In case you modify this pattern you must update setup.template.name and setup.template.pattern accordingly.
   #index: "auditbeat-%{[agent.version]}-%{+yyyy.MM.dd}"
 
-  # Optional ingest node pipeline. By default no pipeline will be used.
+  # Optional ingest pipeline. By default no pipeline will be used.
   #pipeline: ""
 
   # Optional HTTP path

auditbeat/docs/fields.asciidoc

@@ -2358,7 +2358,7 @@ alias to: error.message
 [float]
 === geoip
 
-The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or Ingest Node.
+The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or an Elasticsearch geoip ingest processor.
 
 
 

auditbeat/module/auditd/_meta/fields.yml

@@ -858,7 +858,8 @@
     type: group
     description: >
       The geoip fields are defined as a convenience in case you decide to
-      enrich the data using a geoip filter in Logstash or Ingest Node.
+      enrich the data using a geoip filter in Logstash or an Elasticsearch geoip
+      ingest processor.
     fields:
       - name: continent_name
         type: keyword

dev-tools/packaging/packages.yml

@@ -433,6 +433,7 @@ shared:
       docker_entrypoint: 'docker-entrypoint.elastic-agent.tmpl'
       user: '{{ .BeatName }}'
       linux_capabilities: ''
+      image_name: ''
     files:
       'elastic-agent.yml':
         source: 'elastic-agent.docker.yml'
@@ -449,6 +450,11 @@ shared:
       from: 'arm64v8/centos:7'
       buildFrom: 'arm64v8/centos:7'
 
+  - &agent_docker_cloud_spec
+    <<: *agent_docker_spec
+    extra_vars:
+      image_name: '{{.BeatName}}-cloud'
+
   # Deb/RPM spec for community beats.
   - &deb_rpm_spec
     <<: *common
@@ -1007,6 +1013,19 @@ specs:
           '{{.BeatName}}{{.BinaryExt}}':
             source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
 
+    # Cloud specific docker image
+    - os: linux
+      arch: amd64
+      types: [docker]
+      spec:
+        <<: *agent_docker_spec
+        <<: *agent_docker_cloud_spec
+        <<: *elastic_docker_spec
+        <<: *elastic_license_for_binaries
+        files:
+          '{{.BeatName}}{{.BinaryExt}}':
+            source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+
     - os: linux
       arch: amd64
       types: [docker]
@@ -1033,6 +1052,19 @@ specs:
           '{{.BeatName}}{{.BinaryExt}}':
             source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
 
+    # Cloud specific docker image
+    - os: linux
+      arch: arm64
+      types: [docker]
+      spec:
+        <<: *agent_docker_arm_spec
+        <<: *agent_docker_cloud_spec
+        <<: *elastic_docker_spec
+        <<: *elastic_license_for_binaries
+        files:
+          '{{.BeatName}}{{.BinaryExt}}':
+            source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+
     - os: linux
       arch: arm64
       types: [docker]

dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl

@@ -22,6 +22,11 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s
 {{- end }}
 {{- range $i, $modulesd := .ModulesDirs }}
     chmod 0775 {{ $beatHome}}/{{ $modulesd }} && \
+{{- end }}
+{{- if contains .image_name "-cloud" }}
+    mkdir -p /opt/filebeat /opt/metricbeat && \
+    tar xf {{ $beatHome }}/data/elastic-agent-*/downloads/metricbeat-*.tar.gz -C /opt/metricbeat --strip-components=1 && \
+    tar xf {{ $beatHome }}/data/elastic-agent-*/downloads/filebeat-*.tar.gz -C /opt/filebeat --strip-components=1 && \
 {{- end }}
     true
 
@@ -41,7 +46,6 @@ RUN case $(arch) in aarch64) YUM_FLAGS="-x bind-license";; esac; \
         yum install -y epel-release &&  \
         yum update -y $YUM_FLAGS && \
         yum install -y jq && \
-
         yum clean all && \
         exit_code=0 && break || exit_code=$? && echo "yum error: retry $iter in 10s" && sleep 10; \
     done; \
@@ -134,12 +138,26 @@ RUN mkdir /licenses
 COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses
 COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses
 
-{{- if ne .user "root" }}
+{{- if contains .image_name "-cloud" }}
+COPY --from=home /opt /opt
+{{- end }}
+
+{{- if eq .user "root" }}
+{{- if contains .image_name "-cloud" }}
+# Generate folder for a stub command that will be overwritten at runtime
+RUN mkdir /app
+{{- end }}
+{{- else }}
 RUN groupadd --gid 1000 {{ .BeatName }}
 RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }}
 {{- if (and (eq .Variant "complete") (not (contains .from "ubi-minimal")))  }}
 RUN chown {{ .user }} $NODE_PATH
 {{- end }}
+{{- if contains .image_name "-cloud" }}
+# Generate folder for a stub command that will be overwritten at runtime
+RUN mkdir /app
+RUN chown {{ .user }} /app
+{{- end }}
 {{- end }}
 USER {{ .user }}
 
@@ -172,7 +190,6 @@ RUN cd {{$beatHome}}/.node \
 {{- end }}
 
 
-
 {{- range $i, $port := .ExposePorts }}
 EXPOSE {{ $port }}
 {{- end }}
@@ -183,4 +200,13 @@ EXPOSE {{ $port }}
 ENV LIBBEAT_MONITORING_CGROUPS_HIERARCHY_OVERRIDE=/
 
 WORKDIR {{ $beatHome }}
+
+{{- if contains .image_name "-cloud" }}
+ENTRYPOINT ["/usr/bin/tini", "--"]
+CMD ["/app/apm.sh"]
+# Generate a stub command that will be overwritten at runtime
+RUN echo -e '#!/bin/sh\nexec /usr/local/bin/docker-entrypoint' > /app/apm.sh && \
+    chmod 0555 /app/apm.sh
+{{- else }}
 ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-entrypoint"]
+{{- end }}