Rename source_ecs to source

Update Suricata module to use `source` instead of `source_ecs` now that the Filebeat source field has been changed. This updates `libbeat/_meta/fields.ecs.yml` to include the ECS `source.*` fields. This updates the dashboards and visualizations to use the new `source` fields. And I also updated the saved searches to use `event.module` instead of `fileset.module`. Remove source.ip, source,port, and source.hostname from auditbeat's auditd module fields. Remove source.ip, source.port, and source.mac from packetbeat's flow fields.
elastic · Nov 8, 2018 · 3eb2749 · 3eb2749
1 parent 4e812da
commit 3eb2749
Show file tree

Hide file tree

Showing 27 changed files with 903 additions and 464 deletions.
diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
@@ -27,6 +27,7 @@ https://github.com/elastic/beats/compare/v6.4.0...master[Check the HEAD diff]
 - Rename source to log.file.path and log.source.ip {pull}8902[8902]
 - Remove the deprecated `prospector(s)` option in the configuration use `input(s)` instead. {pull}8909[8909]
 - Rename `offset` to `log.offset`. {pull}8923[8923]
+- Rename `source_ecs` to `source` in the Filebeat Suricata module. {pull}8983[8983]
 
 *Heartbeat*
 

diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
@@ -282,33 +282,6 @@ The current working directory.
 Source that triggered the event.
 
 
-*`source.ip`*::
-+
---
-type: ip
-
-The remote address.
-
---
-
-*`source.port`*::
-+
---
-type: keyword
-
-The port number.
-
---
-
-*`source.hostname`*::
-+
---
-type: keyword
-
-Hostname of the source.
-
---
-
 *`source.path`*::
 +
 --
@@ -4245,6 +4218,64 @@ Ephemeral identifier of this service (if one exists).
 This id normally changes across restarts, but `service.id` does not.
 
 
+--
+
+[float]
+== source fields
+
+Source fields describe details about the source of the event.
+
+
+
+*`source.ip`*::
++
+--
+type: ip
+
+IP address of the source.
+Can be one or multiple IPv4 or IPv6 addresses.
+
+
+--
+
+*`source.hostname`*::
++
+--
+type: keyword
+
+Hostname of the source.
+
+
+--
+
+*`source.port`*::
++
+--
+type: long
+
+Port of the source.
+
+
+--
+
+*`source.mac`*::
++
+--
+type: keyword
+
+MAC address of the source.
+
+
+--
+
+*`source.domain`*::
++
+--
+type: keyword
+
+Source domain.
+
+
 --
 
 [float]

diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go
diff --git a/auditbeat/module/auditd/_meta/fields.yml b/auditbeat/module/auditd/_meta/fields.yml
@@ -103,15 +103,6 @@
     type: group
     description: Source that triggered the event.
     fields:
-    - name: ip
-      type: ip
-      description: The remote address.
-    - name: port
-      type: keyword
-      description: The port number.
-    - name: hostname
-      type: keyword
-      description: Hostname of the source.
     - name: path
       type: keyword
       description: This is the path associated with a unix socket.

diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml
@@ -44,3 +44,43 @@
   to: agent.version
   alias: true
   copy_to: false
+
+- from: source_ecs.ip
+  to: source.ip
+  alias: true
+  copy_to: false
+
+- from: source_ecs.port
+  to: source.port
+  alias: true
+  copy_to: false
+
+- from: source_ecs.geo.continent_name
+  to: source.geo.continent_name
+  alias: true
+  copy_to: false
+
+- from: source_ecs.geo.country_iso_code
+  to: source.geo.country_iso_code
+  alias: true
+  copy_to: false
+
+- from: source_ecs.geo.location
+  to: source.geo.location
+  alias: true
+  copy_to: false
+
+- from: source_ecs.geo.region_name
+  to: source.geo.region_name
+  alias: true
+  copy_to: false
+
+- from: source_ecs.geo.city_name
+  to: source.geo.city_name
+  alias: true
+  copy_to: false
+
+- from: source_ecs.geo.region_iso_code
+  to: source.geo.region_iso_code
+  alias: true
+  copy_to: false
diff --git a/filebeat/_meta/fields.common.yml b/filebeat/_meta/fields.common.yml
@@ -92,19 +92,9 @@
       description: >
         Content length of the HTTP response body.
 
-    - name: source_ecs
+    - name: source
       type: group
       fields:
-      - name: ip
-        type: ip
-        description: >
-          IP address of the source.
-
-      - name: port
-        type: long
-        description: >
-          Port of the source.
-
       - name: geo
         type: group
         description:

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -2275,6 +2275,64 @@ Ephemeral identifier of this service (if one exists).
 This id normally changes across restarts, but `service.id` does not.
 
 
+--
+
+[float]
+== source fields
+
+Source fields describe details about the source of the event.
+
+
+
+*`source.ip`*::
++
+--
+type: ip
+
+IP address of the source.
+Can be one or multiple IPv4 or IPv6 addresses.
+
+
+--
+
+*`source.hostname`*::
++
+--
+type: keyword
+
+Hostname of the source.
+
+
+--
+
+*`source.port`*::
++
+--
+type: long
+
+Port of the source.
+
+
+--
+
+*`source.mac`*::
++
+--
+type: keyword
+
+MAC address of the source.
+
+
+--
+
+*`source.domain`*::
++
+--
+type: keyword
+
+Source domain.
+
+
 --
 
 [float]
@@ -4776,33 +4834,13 @@ Content length of the HTTP response body.
 --
 
 
-*`source_ecs.ip`*::
-+
---
-type: ip
-
-IP address of the source.
-
-
---
-
-*`source_ecs.port`*::
-+
---
-type: long
-
-Port of the source.
-
-
---
-
 [float]
 == geo fields
 
 Geolocation for source.
 
 
-*`source_ecs.geo.continent_name`*::
+*`source.geo.continent_name`*::
 +
 --
 type: keyword
@@ -4812,7 +4850,7 @@ Name of the continent.
 
 --
 
-*`source_ecs.geo.country_iso_code`*::
+*`source.geo.country_iso_code`*::
 +
 --
 type: keyword
@@ -4822,7 +4860,7 @@ Country ISO code.
 
 --
 
-*`source_ecs.geo.location`*::
+*`source.geo.location`*::
 +
 --
 type: geo_point
@@ -4832,7 +4870,7 @@ Longitude and latitude.
 
 --
 
-*`source_ecs.geo.region_name`*::
+*`source.geo.region_name`*::
 +
 --
 type: keyword
@@ -4842,7 +4880,7 @@ Region name.
 
 --
 
-*`source_ecs.geo.city_name`*::
+*`source.geo.city_name`*::
 +
 --
 type: keyword
@@ -4852,7 +4890,7 @@ City name.
 
 --
 
-*`source_ecs.geo.region_iso_code`*::
+*`source.geo.region_iso_code`*::
 +
 --
 type: keyword

diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go
diff --git a/heartbeat/docs/fields.asciidoc b/heartbeat/docs/fields.asciidoc
@@ -1810,6 +1810,64 @@ Ephemeral identifier of this service (if one exists).
 This id normally changes across restarts, but `service.id` does not.
 
 
+--
+
+[float]
+== source fields
+
+Source fields describe details about the source of the event.
+
+
+
+*`source.ip`*::
++
+--
+type: ip
+
+IP address of the source.
+Can be one or multiple IPv4 or IPv6 addresses.
+
+
+--
+
+*`source.hostname`*::
++
+--
+type: keyword
+
+Hostname of the source.
+
+
+--
+
+*`source.port`*::
++
+--
+type: long
+
+Port of the source.
+
+
+--
+
+*`source.mac`*::
++
+--
+type: keyword
+
+MAC address of the source.
+
+
+--
+
+*`source.domain`*::
++
+--
+type: keyword
+
+Source domain.
+
+
 --
 
 [float]