Rename source_ecs to source (elastic#8983)

* Rename source_ecs to source Update Suricata module to use `source` instead of `source_ecs` now that the Filebeat source field has been changed. This updates `libbeat/_meta/fields.ecs.yml` to include the ECS `source.*` fields. This updates the dashboards and visualizations to use the new `source` fields. And I also updated the saved searches to use `event.module` instead of `fileset.module`. - Remove source.ip, source,port from auditbeat's auditd module fields (source.hostname remains, will remove separately). - Remove source.ip, source.port, and source.mac from packetbeat's flow fields. - Adds `source.geo` and `destination.geo` to fields.ecs.yml.
DStape · Nov 9, 2018 · 97d26b4 · 97d26b4
1 parent abba03d
commit 97d26b4
Show file tree

Hide file tree

Showing 2 changed files with 172 additions and 12 deletions.
diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc
@@ -918,52 +918,98 @@ Can be one or multiple IPv4 or IPv6 addresses.
 
 --
 
-*`destination.hostname`*::
+*`destination.port`*::
++
+--
+type: long
+
+Port of the destination.
+
+
+--
+
+*`destination.mac`*::
 +
 --
 type: keyword
 
-Hostname of the destination.
+MAC address of the destination.
 
 
 --
 
-*`destination.port`*::
+*`destination.domain`*::
 +
 --
-type: long
+type: keyword
 
-Port of the destination.
+Destination domain.
 
 
 --
 
-*`destination.mac`*::
+[float]
+== geo fields
+
+Geolocation for destination.
+
+
+*`destination.geo.continent_name`*::
 +
 --
 type: keyword
 
-MAC address of the destination.
+Name of the continent.
 
 
 --
 
-*`destination.domain`*::
+*`destination.geo.country_iso_code`*::
 +
 --
 type: keyword
 
-Destination domain.
+Country ISO code.
+
+
+--
+
+*`destination.geo.location`*::
++
+--
+type: geo_point
+
+Longitude and latitude.
 
 
 --
 
-*`destination.subdomain`*::
+*`destination.geo.region_name`*::
 +
 --
 type: keyword
 
-Destination subdomain.
+Region name.
+
+
+--
+
+*`destination.geo.city_name`*::
++
+--
+type: keyword
+
+City name.
+
+
+--
+
+*`destination.geo.region_iso_code`*::
++
+--
+type: keyword
+
+Region ISO code.
 
 
 --
@@ -2103,6 +2149,120 @@ Ephemeral identifier of this service (if one exists).
 This id normally changes across restarts, but `service.id` does not.
 
 
+--
+
+[float]
+== source fields
+
+Source fields describe details about the source of the event.
+
+
+
+*`source.ip`*::
++
+--
+type: ip
+
+IP address of the source.
+Can be one or multiple IPv4 or IPv6 addresses.
+
+
+--
+
+*`source.port`*::
++
+--
+type: long
+
+Port of the source.
+
+
+--
+
+*`source.mac`*::
++
+--
+type: keyword
+
+MAC address of the source.
+
+
+--
+
+*`source.domain`*::
++
+--
+type: keyword
+
+Source domain.
+
+
+--
+
+[float]
+== geo fields
+
+Geolocation for source.
+
+
+*`source.geo.continent_name`*::
++
+--
+type: keyword
+
+Name of the continent.
+
+
+--
+
+*`source.geo.country_iso_code`*::
++
+--
+type: keyword
+
+Country ISO code.
+
+
+--
+
+*`source.geo.location`*::
++
+--
+type: geo_point
+
+Longitude and latitude.
+
+
+--
+
+*`source.geo.region_name`*::
++
+--
+type: keyword
+
+Region name.
+
+
+--
+
+*`source.geo.city_name`*::
++
+--
+type: keyword
+
+City name.
+
+
+--
+
+*`source.geo.region_iso_code`*::
++
+--
+type: keyword
+
+Region ISO code.
+
+
 --
 
 [float]