Migrate system socket fields metricset to ECS

CHANGELOG.next.asciidoc

@@ -92,6 +92,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Migrate system process metricset fields to ECS. {pull}10332[10332]
 - Refactor Prometheus metric mappings {pull}9948[9948]
 - Removed Prometheus stats metricset in favor of just using Prometheus collector {pull}9948[9948]
+- Migrate system socket metricset fields to ECS. {pull}10339[10339]
+- Renamed direction values in sockets to ECS recommendations, from incoming/outcoming to inbound/outbound. {pull}10339[10339]
 - Adjust Redis.info metricset fields to ECS. {pull}10319[10319]
 - Change type of field docker.container.ip_addresses to `ip` instead of `keyword`. {pull}10364[10364]
 - Rename http.request.body field to http.request.body.content. {pull}10315[10315]

dev-tools/ecs-migration.yml

@@ -1573,6 +1573,41 @@
   alias: true
   beat: metricbeat
 
+- from: system.socket.direction
+  to: network.direction
+  alias: true
+  beat: metricbeat
+
+- from: system.socket.family
+  to: network.type
+  alias: true
+  beat: metricbeat
+
+- from: system.socket.process.command
+  to: process.name
+  alias: true
+  beat: metricbeat
+
+- from: system.socket.process.exe
+  to: process.executable
+  alias: true
+  beat: metricbeat
+
+- from: system.socket.process.pid
+  to: process.pid
+  alias: true
+  beat: metricbeat
+
+- from: system.socket.user.id
+  to: user.id
+  alias: true
+  beat: metricbeat
+
+- from: system.socket.user.name
+  to: user.full_name
+  alias: true
+  beat: metricbeat
+
 ### Kibana
 
 - from: kibana.stats.uuid

metricbeat/docs/fields.asciidoc

@@ -24515,24 +24515,18 @@ TCP sockets that are active.
 *`system.socket.direction`*::
 +
 --
-type: keyword
-
-example: incoming
-
-How the socket was initiated. Possible values are incoming, outgoing, or listening.
+type: alias
 
+alias to: network.direction
 
 --
 
 *`system.socket.family`*::
 +
 --
-type: keyword
-
-example: ipv4
-
-Address family.
+type: alias
 
+alias to: network.type
 
 --
 
@@ -24621,20 +24615,18 @@ Error describing the cause of the reverse lookup failure.
 *`system.socket.process.pid`*::
 +
 --
-type: long
-
-ID of the process that opened the socket.
+type: alias
 
+alias to: process.pid
 
 --
 
 *`system.socket.process.command`*::
 +
 --
-type: keyword
-
-Name of the command (limited to 20 chars by the OS).
+type: alias
 
+alias to: process.name
 
 --
 
@@ -24643,37 +24635,35 @@ Name of the command (limited to 20 chars by the OS).
 --
 type: keyword
 
+Full command line
 
 
 --
 
 *`system.socket.process.exe`*::
 +
 --
-type: keyword
-
-Absolute path to the executable.
+type: alias
 
+alias to: process.executable
 
 --
 
 *`system.socket.user.id`*::
 +
 --
-type: long
-
-UID of the user running the process.
+type: alias
 
+alias to: user.id
 
 --
 
 *`system.socket.user.name`*::
 +
 --
-type: keyword
-
-Name of the user running the process.
+type: alias
 
+alias to: user.full_name
 
 --
 

metricbeat/helper/socket/listeners.go

@@ -26,20 +26,27 @@ type Direction uint8
 
 const (
 	_ Direction = iota
-	// Incoming indicates a connection was established from the outside to
+	// Inbound indicates a connection was established from the outside to
 	// listening socket on this host.
-	Incoming
-	// Outgoing indicates a connection was established from this socket to an
+	Inbound
+	// Outbound indicates a connection was established from this socket to an
 	// external listening socket.
-	Outgoing
+	Outbound
 	// Listening indicates a socket that is listening.
 	Listening
 )
 
+// Names for the direction of a connection
+const (
+	InboundName   = "inbound"
+	OutboundName  = "outbound"
+	ListeningName = "listening"
+)
+
 var directionNames = map[Direction]string{
-	Incoming:  "incoming",
-	Outgoing:  "outgoing",
-	Listening: "listening",
+	Inbound:   InboundName,
+	Outbound:  OutboundName,
+	Listening: ListeningName,
 }
 
 func (d Direction) String() string {
@@ -103,7 +110,7 @@ func (t *ListenerTable) Put(proto uint8, ip net.IP, port int) {
 
 // Direction returns whether the connection was incoming or outgoing based on
 // the protocol and local address. It compares the given local address to the
-// listeners in the table for the protocol and returns Incoming if there is a
+// listeners in the table for the protocol and returns Inbound if there is a
 // match. If remotePort is 0 then Listening is returned.
 func (t *ListenerTable) Direction(
 	proto uint8,
@@ -117,13 +124,13 @@ func (t *ListenerTable) Direction(
 	// Are there any listeners on the given protocol?
 	ports, exists := t.data[proto]
 	if !exists {
-		return Outgoing
+		return Outbound
 	}
 
 	// Is there any listener on the port?
 	interfaces, exists := ports[localPort]
 	if !exists {
-		return Outgoing
+		return Outbound
 	}
 
 	// Is there a listener that specific interface? OR
@@ -132,13 +139,13 @@ func (t *ListenerTable) Direction(
 	for _, ip := range interfaces.ips {
 		switch {
 		case ip.Equal(localIP):
-			return Incoming
+			return Inbound
 		case ip.Equal(net.IPv4zero) && isIPv4:
-			return Incoming
+			return Inbound
 		case ip.Equal(net.IPv6zero) && !isIPv4:
-			return Incoming
+			return Inbound
 		}
 	}
 
-	return Outgoing
+	return Outbound
 }

metricbeat/helper/socket/listeners_test.go

@@ -40,21 +40,21 @@ func TestListenerTable(t *testing.T) {
 	// Listener on 192.0.2.1:80
 	l.Put(proto, lAddr, httpPort)
 
-	assert.Equal(t, Incoming, l.Direction(proto, lAddr, httpPort, rAddr, ephemeralPort))
-	assert.Equal(t, Outgoing, l.Direction(0, lAddr, httpPort, rAddr, ephemeralPort))
-	assert.Equal(t, Outgoing, l.Direction(proto, lAddr, ephemeralPort, rAddr, ephemeralPort))
+	assert.Equal(t, Inbound, l.Direction(proto, lAddr, httpPort, rAddr, ephemeralPort))
+	assert.Equal(t, Outbound, l.Direction(0, lAddr, httpPort, rAddr, ephemeralPort))
+	assert.Equal(t, Outbound, l.Direction(proto, lAddr, ephemeralPort, rAddr, ephemeralPort))
 
 	// Listener on 0.0.0.0:80
 	l.Reset()
 	l.Put(proto, net.IPv4zero, httpPort)
 
-	assert.Equal(t, Incoming, l.Direction(proto, lAddr, httpPort, rAddr, ephemeralPort))
-	assert.Equal(t, Outgoing, l.Direction(proto, ipv6Addr, httpPort, rAddr, ephemeralPort))
+	assert.Equal(t, Inbound, l.Direction(proto, lAddr, httpPort, rAddr, ephemeralPort))
+	assert.Equal(t, Outbound, l.Direction(proto, ipv6Addr, httpPort, rAddr, ephemeralPort))
 
 	// Listener on :::80
 	l.Reset()
 	l.Put(proto, net.IPv6zero, httpPort)
 
-	assert.Equal(t, Incoming, l.Direction(proto, ipv6Addr, httpPort, rAddr, ephemeralPort))
-	assert.Equal(t, Outgoing, l.Direction(proto, lAddr, httpPort, rAddr, ephemeralPort))
+	assert.Equal(t, Inbound, l.Direction(proto, ipv6Addr, httpPort, rAddr, ephemeralPort))
+	assert.Equal(t, Outbound, l.Direction(proto, lAddr, httpPort, rAddr, ephemeralPort))
 }

metricbeat/helper/socket/ptable.go

@@ -34,6 +34,7 @@ type Proc struct {
 	Command    string
 	Executable string
 	CmdLine    string
+	Args       []string
 }
 
 // ProcTable contains all of the active processes (if the current user is root).
@@ -101,6 +102,7 @@ func (t *ProcTable) Refresh() error {
 			if cmdline, err := p.CmdLine(); err != nil {
 				errs = append(errs, err)
 			} else {
+				proc.Args = cmdline
 				proc.CmdLine = strings.Join(cmdline, " ")
 			}
 		}

metricbeat/module/system/socket/_meta/data.json

@@ -12,27 +12,41 @@
     "metricset": {
         "name": "socket"
     },
+    "network": {
+        "direction": "listening",
+        "iana_number": "41",
+        "type": "ipv6"
+    },
+    "process": {
+        "args": [
+            "/tmp/go-build774092237/b001/socket.test",
+            "-data"
+        ],
+        "executable": "/tmp/go-build774092237/b001/socket.test",
+        "name": "socket.test",
+        "pid": 32127
+    },
+    "server": {
+        "ip": "::",
+        "port": 45109
+    },
     "service": {
         "type": "system"
     },
     "system": {
         "socket": {
-            "direction": "listening",
-            "family": "ipv6",
             "local": {
                 "ip": "::",
-                "port": 44367
+                "port": 45109
             },
             "process": {
-                "cmdline": "/tmp/go-build827888631/b001/socket.test -data",
-                "command": "socket.test",
-                "exe": "/tmp/go-build827888631/b001/socket.test",
-                "pid": 19047
-            },
-            "user": {
-                "id": 1000,
-                "name": "Jaime Soriano Pastor"
+                "cmdline": "/tmp/go-build774092237/b001/socket.test -data"
             }
         }
+    },
+    "user": {
+        "full_name": "Jaime Soriano Pastor",
+        "id": "1000",
+        "name": "jaime"
     }
 }

metricbeat/module/system/socket/_meta/data_inbound.json

@@ -0,0 +1,48 @@
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "destination": {
+        "ip": "::1",
+        "port": 45109
+    },
+    "event": {
+        "dataset": "system.socket",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "socket"
+    },
+    "network": {
+        "direction": "inbound",
+        "iana_number": "41",
+        "type": "ipv6"
+    },
+    "service": {
+        "type": "system"
+    },
+    "source": {
+        "ip": "::1",
+        "port": 33972
+    },
+    "system": {
+        "socket": {
+            "local": {
+                "ip": "::1",
+                "port": 45109
+            },
+            "remote": {
+                "ip": "::1",
+                "port": 33972
+            }
+        }
+    },
+    "user": {
+        "full_name": "root",
+        "id": "0",
+        "name": "root"
+    }
+}