Keep unparsed user agent information in user_agent.original

[kvch]

user_agent.raw has been renamed to user_agent.original. As this field is not yet released I am renaming it to follow conventions.

[ruflin]

Change LGTM. I think it will need a Changelog entry.

I have second thoughts if we should backport this to 6.x or not (not only raw to original, but the overall change).

[kvch]

Why? I think it can provide useful information is case of exotic user agents. I assume when someone investigates weird events happening in his/her network, it's possible that the person who might be lurking around leaves behind "unconventional" user agents.

[kvch]

Added changelog entry && rebased the branch

[jsoriano]

If this hasn't been released yet, what about editing the previous entry instead of adding two for the same thing?

[ruflin]

++

[ruflin]

@kvch Few thoughts around this that recently came up:

• Should we actually index user_agent.original? Is it mean to be searchable or more for reprocessing or looking into it when an event is found for the user (it will still be part of _source). This could save quite a bit of space on indexing
• The user_agent field will be a common field in 7.0 because of ECS. So the local fields will probably disappear. Should we add more fields now or wait for 7.0 until it's unified?

[kvch]

• +1 for not indexing it
• I would wait for 7.0. I have already renamed a few fields, because ECS is still a work in progress. I would rather minimize this overhead. If unavoidable, I would do it in a bulk before 7.0 is released.

[kvch]

@ruflin are you ok with merging this as is?

[ruflin]

As we set index: false it should not matter here what type is defined. In ECS it seems we put keyword. Only reason I mention this is we should check later what shows up in the docs for non indexed fields.

[kvch]

Got it. Thanks for the info.

[ruflin]

@kvch LGTM. Did an additional commit to resolve a CHANGELOG conflict.

[kvch]

Failing tests are unrelated.