Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Swap source.bytes and destination.bytes traffic log mappings #32927

Merged
merged 3 commits into from
Sep 12, 2022

Conversation

asmith-elastic
Copy link
Contributor

@asmith-elastic asmith-elastic commented Aug 30, 2022

What does this PR do?

This proposed change will map Bytes Received to destination.bytes and Bytes Sent to client.bytes.

Why is it important?

This documentation currently mapps Bytes Received to server.bytes and source.bytes as well as Bytes Sent to client.bytes and destination.bytes.

This mapping is incorrect as per the Palot Alto Docs, bytes_sent is defined as Number of bytes in the client-to-server direction of the session. and matches the ECS definitions for client.bytes and source.bytes being bytes from client/source => server/destination.

Likewise, bytes_received is defined as Number of bytes in the server-to-client direction of the session. and matches the destination.bytes and server.bytes definitions in ECS being the bytes sent from server/destination => client/source.

Furthermore, the panw filebeat module mapping and integration pipeline both follow the above conventions.

Checklist

- [ ] My code follows the style guidelines of this project
- [ ] I have commented my code, particularly in hard-to-understand areas

  • I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
    - [ ] I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

EDIT: Below is a pull request which contains the fix made within the PANW filebeat module in order to swap these same two values. #18525.

This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`. 

This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`. 

Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`.

Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions. 

This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Aug 30, 2022
@mergify
Copy link
Contributor

mergify bot commented Aug 30, 2022

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @asmith-elastic? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

@elasticmachine
Copy link
Collaborator

elasticmachine commented Aug 30, 2022

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-09-06T23:36:27.259+0000

  • Duration: 8 min 6 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@asmith-elastic asmith-elastic added the Team:Docs Label for the Observability docs team label Aug 30, 2022
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Aug 30, 2022
@asmith-elastic asmith-elastic marked this pull request as ready for review August 30, 2022 17:48
@asmith-elastic asmith-elastic requested a review from a team as a code owner August 30, 2022 17:48
@elasticmachine
Copy link
Collaborator

Pinging @elastic/obs-docs (Team:Docs)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please reflect these changes in filebeat/docs/modules/panw.asciidoc. You can do this by running make update in the filebeat (not x-pack) directory or just by copying these changes over to that file.

asmith-elastic and others added 2 commits August 30, 2022 15:55
Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525
Copy link
Contributor

@dedemorton dedemorton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@dedemorton dedemorton added backport-7.17 Automated backport to the 7.17 branch with mergify backport-v8.4.0 Automated backport with mergify labels Sep 12, 2022
@dedemorton
Copy link
Contributor

Going to merge this to get it into the published docs. Let me know if it's critical to backport this to other branches that are no longer in-service. (It will be backported to 8.4 and 7.17.) Thanks!

@dedemorton dedemorton merged commit 0930b9b into main Sep 12, 2022
@dedemorton dedemorton deleted the asmith-elastic-patch-1 branch September 12, 2022 21:58
mergify bot pushed a commit that referenced this pull request Sep 12, 2022
)

* Swap `source.bytes` and `destination.bytes` traffic log mappings

This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`.

This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`.

Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`.

Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions.

This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`.

* Swap `source.bytes` and `destination.bytes` traffic log mappings

Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525

* Run make update

Co-authored-by: dedemorton <dede.morton@elastic.co>
(cherry picked from commit 0930b9b)
mergify bot pushed a commit that referenced this pull request Sep 12, 2022
)

* Swap `source.bytes` and `destination.bytes` traffic log mappings

This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`.

This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`.

Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`.

Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions.

This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`.

* Swap `source.bytes` and `destination.bytes` traffic log mappings

Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525

* Run make update

Co-authored-by: dedemorton <dede.morton@elastic.co>
(cherry picked from commit 0930b9b)
dedemorton pushed a commit that referenced this pull request Sep 13, 2022
) (#33059)

* Swap `source.bytes` and `destination.bytes` traffic log mappings

This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`.

This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`.

Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`.

Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions.

This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`.

* Swap `source.bytes` and `destination.bytes` traffic log mappings

Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525

* Run make update

Co-authored-by: dedemorton <dede.morton@elastic.co>
(cherry picked from commit 0930b9b)

Co-authored-by: Austin Smith <76973609+asmith-elastic@users.noreply.github.com>
dedemorton pushed a commit that referenced this pull request Sep 13, 2022
) (#33060)

* Swap `source.bytes` and `destination.bytes` traffic log mappings

This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`.

This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`.

Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`.

Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions.

This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`.

* Swap `source.bytes` and `destination.bytes` traffic log mappings

Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525

* Run make update

Co-authored-by: dedemorton <dede.morton@elastic.co>
(cherry picked from commit 0930b9b)

Co-authored-by: Austin Smith <76973609+asmith-elastic@users.noreply.github.com>
chrisberkhout pushed a commit that referenced this pull request Jun 1, 2023
)

* Swap `source.bytes` and `destination.bytes` traffic log mappings

This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`. 

This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`. 

Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`.

Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions. 

This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`.

* Swap `source.bytes` and `destination.bytes` traffic log mappings

Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525

* Run make update

Co-authored-by: dedemorton <dede.morton@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-7.17 Automated backport to the 7.17 branch with mergify backport-v8.4.0 Automated backport with mergify docs Team:Docs Label for the Observability docs team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants