From c9f6d761dd55d968a611c47500a34d5117002181 Mon Sep 17 00:00:00 2001
From: Feroz Salam <feroz@argh.in>
Date: Wed, 20 Jan 2021 10:10:52 +0000
Subject: [PATCH 01/15] Stage 1 Orchestrator RFC

---
 rfcs/text/0012-orchestrator-field-set.md | 135 +++++++++++++++++++++--
 1 file changed, 123 insertions(+), 12 deletions(-)

diff --git a/rfcs/text/0012-orchestrator-field-set.md b/rfcs/text/0012-orchestrator-field-set.md
index 207af5c763..f0fa65435c 100644
--- a/rfcs/text/0012-orchestrator-field-set.md
+++ b/rfcs/text/0012-orchestrator-field-set.md
@@ -19,9 +19,68 @@ add a new schema rather than change existing material.
 
 ## Fields
 
-<!--
-Stage 1: Describe at a high level how this change affects fields. Which fieldsets will be impacted? How many fields overall? Are we primarily adding fields, removing fields, or changing existing fields? The goal here is to understand the fundamental technical implications and likely extent of these changes. ~2-5 sentences.
--->
+The proposed change adds six fields, as described below:
+
+```
+---
+- name: orchestrator
+  title: Orchestrator
+  group: 2
+  short: Fields relevant to container orchestrators.
+  description: >
+    Fields that describe the resources which container orchestrators manage or
+    act upon.
+  type: group
+  fields:
+    - name: cluster
+      level: core
+      type: keyword
+      example: production
+      description: >
+        Orchestrator cluster name.
+
+    - name: type
+      level: core
+      type: keyword
+      example: Nomad, Kubernetes
+      description: >
+        Orchestrator cluster type.
+
+    - name: namespace
+      level: core
+      type: keyword
+      example: kube-system
+      description: >
+        Namespace in which the action is taking place.
+
+    - name: resource.name
+      level: core
+      type: keyword
+      example: test-pod-cdcws
+      description: >
+        Name of the resource being acted upon.
+
+    - name: resource.type
+      level: core
+      type: keyword
+      example: service
+      description: >
+        Type of resource being acted upon.
+
+    - name: subresource.type
+      level: extended
+      example: status
+      type: keyword
+      description: >
+        Subresource of the resource being acted upon, if applicable.
+
+    - name: api_version
+      level: extended
+      example: v1beta1
+      type: keyword
+      description: >
+        API version being used to carry out the action
+```
 
 <!--
 Stage 2: Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting.
@@ -33,15 +92,57 @@ Stage 3: Add or update all remaining field definitions. The list should now be e
 
 ## Usage
 
-<!--
-Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
--->
+The `orchestrator` field set will be used to capture typical concepts employed
+by container orchestrators to manage resources. The key intent of this is to allow
+for a a consistent method by which audit logs from container orchestrators can
+be compared. For example, this would allow the creation of open source detection
+rulesets for suspicious Kubernetes events based on audit logs, which can be easily
+transferred from one cluster to another without depending on the specifics of
+parsing implementations.
+
+This might also have use in performance and monitoring tooling which exists around
+container orchestrators, allowing for the definition of shareable dashboards and
+alert definitions.
 
 ## Source data
 
-<!--
-Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
--->
+Examples of source data include:
+
+- [Kubernetes audit logs][1]
+- [Kubernetes node logs][2]
+- [HashiCorp Nomad audit logs][3]
+- [Falco alert logs][4]
+
+### Kubernetes audit log
+
+```json
+{
+  "_index": "filebeat-7.7.0-2020.12.31-000001",
+  "_type": "_doc",
+  "_id": "KbmPuXYBaTdcl42uyGfl",
+  "_version": 1,
+  "_score": null,
+  "_source": {
+    "@timestamp": "2020-12-31T16:09:35.735Z",
+    "log": {
+      "offset": 7248566,
+      "file": {
+        "path": "/tmp/host-logs/kube-apiserver-audit.log"
+      }
+    },
+    "cloud.provider": "gcp",
+    "event.action": "create",
+    "orchestrator.cluster": "test-dev",
+    "orchestrator.type": "Kubernetes",
+    "orchestrator.subresource": "attach",
+    "orchestrator.resource.type": "pods",
+    "orchestrator.namespace": "default",
+    "orchestrator.resource.name": "test",
+    "orchestrator.api_version": "v1",
+    "user.name": "system:serviceaccount:test"
+  }
+}
+```
 
 <!--
 Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting.
@@ -63,9 +164,16 @@ The goal here is to research and understand the impact of these changes on users
 
 ## Concerns
 
-<!--
-Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
--->
+### Kubernetes-specific logic
+
+The key concern here is the dominance of one particular container orchestration
+system - Kubernetes - over the rest of the ecosystem. Other orchestrators include
+options like HashiCorp Nomad, Docker Swarm, Apache Mesos, but it is unclear to
+what extent the alternatives share the same logical primitives as Kubernetes. An
+attempt has been made to ensure that the proposed field set is as generic and flexible 
+as possible, however it would be useful to consider in some detail whether the
+preference is to keep the field set short and as generic as possible, or large
+enough to cover all the logical primitives of popular orchestrators.
 
 <!--
 Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
@@ -109,3 +217,6 @@ The following are the people that consulted on the contents of this RFC.
 
 [0]: https://github.com/elastic/ecs/blob/master/use-cases/kubernetes.yml
 [1]: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
+[2]: https://kubernetes.io/docs/concepts/cluster-administration/logging/#logging-at-the-node-level
+[3]: https://www.hashicorp.com/blog/hashicorp-nomad-enterprise-audit-logging
+[4]: https://falco.org/docs/alerts/#file-output

From 98f7027045d9017c1200bf59b5b5eee979604969 Mon Sep 17 00:00:00 2001
From: Feroz Salam <feroz@argh.in>
Date: Wed, 20 Jan 2021 10:18:10 +0000
Subject: [PATCH 02/15] Fix typos

---
 rfcs/text/0012-orchestrator-field-set.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rfcs/text/0012-orchestrator-field-set.md b/rfcs/text/0012-orchestrator-field-set.md
index f0fa65435c..0e059ae8a2 100644
--- a/rfcs/text/0012-orchestrator-field-set.md
+++ b/rfcs/text/0012-orchestrator-field-set.md
@@ -93,8 +93,8 @@ Stage 3: Add or update all remaining field definitions. The list should now be e
 ## Usage
 
 The `orchestrator` field set will be used to capture typical concepts employed
-by container orchestrators to manage resources. The key intent of this is to allow
-for a a consistent method by which audit logs from container orchestrators can
+by container orchestrators to manage resources. The key intent of this is to create
+a consistent method by which audit logs from container orchestrators can
 be compared. For example, this would allow the creation of open source detection
 rulesets for suspicious Kubernetes events based on audit logs, which can be easily
 transferred from one cluster to another without depending on the specifics of

From 8f9f0b0bc823f8458429f592bf2799320c0e1f8e Mon Sep 17 00:00:00 2001
From: Feroz Salam <feroz@argh.in>
Date: Wed, 20 Jan 2021 10:21:46 +0000
Subject: [PATCH 03/15] Minor text tweak and clarification

---
 rfcs/text/0012-orchestrator-field-set.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/rfcs/text/0012-orchestrator-field-set.md b/rfcs/text/0012-orchestrator-field-set.md
index 0e059ae8a2..b2230d6b9c 100644
--- a/rfcs/text/0012-orchestrator-field-set.md
+++ b/rfcs/text/0012-orchestrator-field-set.md
@@ -168,12 +168,14 @@ The goal here is to research and understand the impact of these changes on users
 
 The key concern here is the dominance of one particular container orchestration
 system - Kubernetes - over the rest of the ecosystem. Other orchestrators include
-options like HashiCorp Nomad, Docker Swarm, Apache Mesos, but it is unclear to
+options like HashiCorp Nomad, Docker Swarm, and Apache Mesos, but it is unclear to
 what extent the alternatives share the same logical primitives as Kubernetes. An
 attempt has been made to ensure that the proposed field set is as generic and flexible 
 as possible, however it would be useful to consider in some detail whether the
-preference is to keep the field set short and as generic as possible, or large
-enough to cover all the logical primitives of popular orchestrators.
+preference is to keep the field set as generic as possible, or large enough to 
+cover all the logical primitives of popular orchestrators. Input from contributors
+who have experience with the various alternative orchestration providers would be
+particularly valuable.
 
 <!--
 Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.

From b0ac2c002a5175bb4ebf9626aeb9d562670ef841 Mon Sep 17 00:00:00 2001
From: Feroz Salam <feroz@argh.in>
Date: Wed, 20 Jan 2021 10:26:09 +0000
Subject: [PATCH 04/15] Add PR link

---
 rfcs/text/0012-orchestrator-field-set.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rfcs/text/0012-orchestrator-field-set.md b/rfcs/text/0012-orchestrator-field-set.md
index b2230d6b9c..e616f5bb9d 100644
--- a/rfcs/text/0012-orchestrator-field-set.md
+++ b/rfcs/text/0012-orchestrator-field-set.md
@@ -211,6 +211,7 @@ The following are the people that consulted on the contents of this RFC.
 <!-- An RFC should link to the PRs for each of it stage advancements. -->
 
 * Stage 0: https://github.com/elastic/ecs/pull/1209
+* Stage 1: https://github.com/elastic/ecs/pull/1230
 
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN

From 4da377e9a12637bbad537e1a597fe832f0c6bfd0 Mon Sep 17 00:00:00 2001
From: Feroz Salam <feroz@argh.in>
Date: Sun, 7 Feb 2021 19:40:53 +0000
Subject: [PATCH 05/15] Add example of Hashicorp Nomad audit logging

Also update the RFC stage
---
 rfcs/text/0012-orchestrator-field-set.md | 41 +++++++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/rfcs/text/0012-orchestrator-field-set.md b/rfcs/text/0012-orchestrator-field-set.md
index e616f5bb9d..b6309bfaf1 100644
--- a/rfcs/text/0012-orchestrator-field-set.md
+++ b/rfcs/text/0012-orchestrator-field-set.md
@@ -1,6 +1,6 @@
 # 0012: Orchestrator field set creation
 
-- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Stage: **1 (draft)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
 - Date: **2021-01-11** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 There is currently no ECS field set for container orchestration engines. There is an example of an ECS
@@ -144,6 +144,45 @@ Examples of source data include:
 }
 ```
 
+### Hashicorp Nomad audit log
+
+```json
+{
+  "created_at": "2020-03-24T13:09:35.704224536-04:00",
+  "event_type": "audit",
+  "payload": {
+    "id": "8b826146-b264-af15-6526-29cb905145aa",
+    "stage": "OperationComplete",
+    "type": "audit",
+    "timestamp": "2020-03-24T13:09:35.703865005-04:00",
+    "version": 1,
+    "auth": {
+      "accessor_id": "a162f017-bcf7-900c-e22a-a2a8cbbcef53",
+      "name": "Bootstrap Token",
+      "global": true,
+      "create_time": "2020-03-24T17:08:35.086591881Z"
+    },
+    "request": {
+      "id": "02f0ac35-c7e8-0871-5a58-ee9dbc0a70ea",
+      "event.action": "GET",
+      "orchestrator.api_version": "v1",
+      "orchestrator.resource.type": "nodes",
+      "orchestrator.namespace": "default"
+      "request_meta": {
+        "remote_address": "127.0.0.1:33648",
+        "user_agent": "Go-http-client/1.1"
+      },
+      "node_meta": {
+        "ip": "127.0.0.1:4646"
+      }
+    },
+    "response": {
+      "status_code": 200
+    }
+  }
+}
+```
+
 <!--
 Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting.
 -->

From fa9fc51d225a90c8d303d32d87918dacc1a7df64 Mon Sep 17 00:00:00 2001
From: Feroz Salam <feroz@argh.in>
Date: Sun, 7 Feb 2021 19:50:29 +0000
Subject: [PATCH 06/15] Update orchestrator.cluster to an object

---
 rfcs/text/0012-orchestrator-field-set.md | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/rfcs/text/0012-orchestrator-field-set.md b/rfcs/text/0012-orchestrator-field-set.md
index b6309bfaf1..4557a29547 100644
--- a/rfcs/text/0012-orchestrator-field-set.md
+++ b/rfcs/text/0012-orchestrator-field-set.md
@@ -34,10 +34,9 @@ The proposed change adds six fields, as described below:
   fields:
     - name: cluster
       level: core
-      type: keyword
-      example: production
+      type: object
       description: >
-        Orchestrator cluster name.
+        Orchestrator cluster details.
 
     - name: type
       level: core
@@ -132,7 +131,9 @@ Examples of source data include:
     },
     "cloud.provider": "gcp",
     "event.action": "create",
-    "orchestrator.cluster": "test-dev",
+    "orchestrator.cluster": {
+        "name": "test-dev",
+    }
     "orchestrator.type": "Kubernetes",
     "orchestrator.subresource": "attach",
     "orchestrator.resource.type": "pods",

From 837a6d09105d8c55cca38d9dfca6d97e898615bc Mon Sep 17 00:00:00 2001
From: Feroz Salam <feroz@argh.in>
Date: Sun, 7 Feb 2021 19:58:51 +0000
Subject: [PATCH 07/15] Add an organization field for multi-tenant setups

---
 rfcs/text/0012-orchestrator-field-set.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/rfcs/text/0012-orchestrator-field-set.md b/rfcs/text/0012-orchestrator-field-set.md
index 4557a29547..09dbac8703 100644
--- a/rfcs/text/0012-orchestrator-field-set.md
+++ b/rfcs/text/0012-orchestrator-field-set.md
@@ -45,6 +45,13 @@ The proposed change adds six fields, as described below:
       description: >
         Orchestrator cluster type.
 
+    - name: organization
+      level: core
+      type: keyword
+      example: elastic
+      description: >
+        Organization affected by the event (for multi-tenant orchestrator setups).
+
     - name: namespace
       level: core
       type: keyword

From 1516c9039a0739891f4a785b0e8c686b3724ee3d Mon Sep 17 00:00:00 2001
From: Feroz Salam <feroz@argh.in>
Date: Fri, 12 Feb 2021 12:08:24 +0000
Subject: [PATCH 08/15] Switch all fields to extended

---
 rfcs/text/0012-orchestrator-field-set.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/rfcs/text/0012-orchestrator-field-set.md b/rfcs/text/0012-orchestrator-field-set.md
index 09dbac8703..9cadda0df5 100644
--- a/rfcs/text/0012-orchestrator-field-set.md
+++ b/rfcs/text/0012-orchestrator-field-set.md
@@ -33,41 +33,41 @@ The proposed change adds six fields, as described below:
   type: group
   fields:
     - name: cluster
-      level: core
+      level: extended
       type: object
       description: >
         Orchestrator cluster details.
 
     - name: type
-      level: core
+      level: extended
       type: keyword
       example: Nomad, Kubernetes
       description: >
         Orchestrator cluster type.
 
     - name: organization
-      level: core
+      level: extended
       type: keyword
       example: elastic
       description: >
         Organization affected by the event (for multi-tenant orchestrator setups).
 
     - name: namespace
-      level: core
+      level: extended
       type: keyword
       example: kube-system
       description: >
         Namespace in which the action is taking place.
 
     - name: resource.name
-      level: core
+      level: extended
       type: keyword
       example: test-pod-cdcws
       description: >
         Name of the resource being acted upon.
 
     - name: resource.type
-      level: core
+      level: extended
       type: keyword
       example: service
       description: >

From 76a9864f3056f3d9016db10607d243d7070bb7ed Mon Sep 17 00:00:00 2001
From: Feroz Salam <feroz@argh.in>
Date: Sun, 21 Feb 2021 11:32:30 +0000
Subject: [PATCH 09/15] Apply suggestions from code review

Co-authored-by: Jaime Soriano Pastor <jaime.soriano@elastic.co>
---
 rfcs/text/0012-orchestrator-field-set.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/rfcs/text/0012-orchestrator-field-set.md b/rfcs/text/0012-orchestrator-field-set.md
index 9cadda0df5..3dda75cc3f 100644
--- a/rfcs/text/0012-orchestrator-field-set.md
+++ b/rfcs/text/0012-orchestrator-field-set.md
@@ -41,9 +41,9 @@ The proposed change adds six fields, as described below:
     - name: type
       level: extended
       type: keyword
-      example: Nomad, Kubernetes
+      example: kubernetes
       description: >
-        Orchestrator cluster type.
+        Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
 
     - name: organization
       level: extended
@@ -140,10 +140,10 @@ Examples of source data include:
     "event.action": "create",
     "orchestrator.cluster": {
         "name": "test-dev",
-    }
-    "orchestrator.type": "Kubernetes",
+    },
+    "orchestrator.type": "kubernetes",
     "orchestrator.subresource": "attach",
-    "orchestrator.resource.type": "pods",
+    "orchestrator.resource.type": "pod",
     "orchestrator.namespace": "default",
     "orchestrator.resource.name": "test",
     "orchestrator.api_version": "v1",
@@ -175,7 +175,7 @@ Examples of source data include:
       "event.action": "GET",
       "orchestrator.api_version": "v1",
       "orchestrator.resource.type": "nodes",
-      "orchestrator.namespace": "default"
+      "orchestrator.namespace": "default",
       "request_meta": {
         "remote_address": "127.0.0.1:33648",
         "user_agent": "Go-http-client/1.1"

From 1cb1113ad4c700e855ae4092e9015d40dff951bb Mon Sep 17 00:00:00 2001
From: Feroz Salam <feroz@argh.in>
Date: Sun, 21 Feb 2021 11:44:11 +0000
Subject: [PATCH 10/15] Remove subresource field

---
 rfcs/text/0012-orchestrator-field-set.md | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/rfcs/text/0012-orchestrator-field-set.md b/rfcs/text/0012-orchestrator-field-set.md
index 3dda75cc3f..5eac9f76c3 100644
--- a/rfcs/text/0012-orchestrator-field-set.md
+++ b/rfcs/text/0012-orchestrator-field-set.md
@@ -73,13 +73,6 @@ The proposed change adds six fields, as described below:
       description: >
         Type of resource being acted upon.
 
-    - name: subresource.type
-      level: extended
-      example: status
-      type: keyword
-      description: >
-        Subresource of the resource being acted upon, if applicable.
-
     - name: api_version
       level: extended
       example: v1beta1

From fdb65295c058b6ab986af4c69f599c3c04493f3f Mon Sep 17 00:00:00 2001
From: Feroz Salam <feroz@argh.in>
Date: Sun, 21 Feb 2021 11:52:04 +0000
Subject: [PATCH 11/15] Update sample Nomad audit log

---
 rfcs/text/0012-orchestrator-field-set.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rfcs/text/0012-orchestrator-field-set.md b/rfcs/text/0012-orchestrator-field-set.md
index 5eac9f76c3..5c344a70ed 100644
--- a/rfcs/text/0012-orchestrator-field-set.md
+++ b/rfcs/text/0012-orchestrator-field-set.md
@@ -151,6 +151,10 @@ Examples of source data include:
 {
   "created_at": "2020-03-24T13:09:35.704224536-04:00",
   "event_type": "audit",
+  "orchestrator.api_version": "v1",
+  "orchestrator.namespace": "default",
+  "orchestrator.resource.type": "nodes",
+  "orchestrator.type: "nomad",
   "payload": {
     "id": "8b826146-b264-af15-6526-29cb905145aa",
     "stage": "OperationComplete",
@@ -166,9 +170,6 @@ Examples of source data include:
     "request": {
       "id": "02f0ac35-c7e8-0871-5a58-ee9dbc0a70ea",
       "event.action": "GET",
-      "orchestrator.api_version": "v1",
-      "orchestrator.resource.type": "nodes",
-      "orchestrator.namespace": "default",
       "request_meta": {
         "remote_address": "127.0.0.1:33648",
         "user_agent": "Go-http-client/1.1"

From c7a6ae1cc47830e3481aa8440321c7d7558be07c Mon Sep 17 00:00:00 2001
From: Feroz Salam <feroz@argh.in>
Date: Sat, 27 Feb 2021 06:55:56 +0000
Subject: [PATCH 12/15] Fix audit log sample

---
 rfcs/text/0012-orchestrator-field-set.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0012-orchestrator-field-set.md b/rfcs/text/0012-orchestrator-field-set.md
index 5c344a70ed..1cc2276c7b 100644
--- a/rfcs/text/0012-orchestrator-field-set.md
+++ b/rfcs/text/0012-orchestrator-field-set.md
@@ -154,7 +154,7 @@ Examples of source data include:
   "orchestrator.api_version": "v1",
   "orchestrator.namespace": "default",
   "orchestrator.resource.type": "nodes",
-  "orchestrator.type: "nomad",
+  "orchestrator.type": "nomad",
   "payload": {
     "id": "8b826146-b264-af15-6526-29cb905145aa",
     "stage": "OperationComplete",

From 8cebf683cd86d9b7a6fa1793ee03929b10ffe03d Mon Sep 17 00:00:00 2001
From: Feroz Salam <feroz@argh.in>
Date: Sat, 27 Feb 2021 07:03:24 +0000
Subject: [PATCH 13/15] Add cluster name and URL fields

---
 rfcs/text/0012-orchestrator-field-set.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/rfcs/text/0012-orchestrator-field-set.md b/rfcs/text/0012-orchestrator-field-set.md
index 1cc2276c7b..5b624a9faa 100644
--- a/rfcs/text/0012-orchestrator-field-set.md
+++ b/rfcs/text/0012-orchestrator-field-set.md
@@ -38,6 +38,18 @@ The proposed change adds six fields, as described below:
       description: >
         Orchestrator cluster details.
 
+    - name: cluster.name
+      level: extended
+      type: keyword
+      description: >
+        Name of the cluster.
+
+    - name: cluster.url
+      level: extended
+      type: keyword
+      description: >
+        URL of the cluster.
+
     - name: type
       level: extended
       type: keyword

From 106ad3148e7f6ecd432be58ceda30913bfc82576 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Mon, 1 Mar 2021 15:28:31 -0600
Subject: [PATCH 14/15] fix

---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 0e4a5703f9..679ef411cb 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,7 +10,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
         with:
-          go-version: '^1.13.1'
+          go-version: '~1.15.8'
       - uses: actions/setup-python@v2
         with:
           python-version: '3.x'

From 6a97b5dcfeb18249ea0833aa0e4422c96658ab2e Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Mon, 1 Mar 2021 15:33:27 -0600
Subject: [PATCH 15/15] testing

---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 679ef411cb..f5aad7d831 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,7 +10,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
         with:
-          go-version: '~1.15.8'
+          go-version: '1.15.x'
       - uses: actions/setup-python@v2
         with:
           python-version: '3.x'