Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rename source_ecs to source #8983

Merged
merged 3 commits into from
Nov 9, 2018
Merged

Rename source_ecs to source #8983

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3eb2749
Rename source_ecs to source
andrewkroh Nov 7, 2018
64dbd42
Remove source.hostname and destination.hostname
andrewkroh Nov 8, 2018
e3e0b7c
Update dashboard to remove source_ecs
andrewkroh Nov 9, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ https://github.com/elastic/beats/compare/v6.4.0...master[Check the HEAD diff]
- Rename source to log.file.path and log.source.ip {pull}8902[8902]
- Remove the deprecated `prospector(s)` option in the configuration use `input(s)` instead. {pull}8909[8909]
- Rename `offset` to `log.offset`. {pull}8923[8923]
- Rename `source_ecs` to `source` in the Filebeat Suricata module. {pull}8983[8983]

*Heartbeat*

Expand Down
200 changes: 171 additions & 29 deletions auditbeat/docs/fields.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,24 +282,6 @@ The current working directory.
Source that triggered the event.


*`source.ip`*::
+
--
type: ip

The remote address.

--

*`source.port`*::
+
--
type: keyword

The port number.

--

*`source.hostname`*::
+
--
Expand Down Expand Up @@ -3060,52 +3042,98 @@ Can be one or multiple IPv4 or IPv6 addresses.

--

*`destination.hostname`*::
*`destination.port`*::
+
--
type: long

Port of the destination.


--

*`destination.mac`*::
+
--
type: keyword

Hostname of the destination.
MAC address of the destination.


--

*`destination.port`*::
*`destination.domain`*::
+
--
type: long
type: keyword

Port of the destination.
Destination domain.


--

*`destination.mac`*::
[float]
== geo fields

Geolocation for destination.


*`destination.geo.continent_name`*::
+
--
type: keyword

MAC address of the destination.
Name of the continent.


--

*`destination.domain`*::
*`destination.geo.country_iso_code`*::
+
--
type: keyword

Destination domain.
Country ISO code.


--

*`destination.geo.location`*::
+
--
type: geo_point

Longitude and latitude.


--

*`destination.subdomain`*::
*`destination.geo.region_name`*::
+
--
type: keyword

Destination subdomain.
Region name.


--

*`destination.geo.city_name`*::
+
--
type: keyword

City name.


--

*`destination.geo.region_iso_code`*::
+
--
type: keyword

Region ISO code.


--
Expand Down Expand Up @@ -4245,6 +4273,120 @@ Ephemeral identifier of this service (if one exists).
This id normally changes across restarts, but `service.id` does not.


--

[float]
== source fields

Source fields describe details about the source of the event.



*`source.ip`*::
+
--
type: ip

IP address of the source.
Can be one or multiple IPv4 or IPv6 addresses.


--

*`source.port`*::
+
--
type: long

Port of the source.


--

*`source.mac`*::
+
--
type: keyword

MAC address of the source.


--

*`source.domain`*::
+
--
type: keyword

Source domain.


--

[float]
== geo fields

Geolocation for source.


*`source.geo.continent_name`*::
+
--
type: keyword

Name of the continent.


--

*`source.geo.country_iso_code`*::
+
--
type: keyword

Country ISO code.


--

*`source.geo.location`*::
+
--
type: geo_point

Longitude and latitude.


--

*`source.geo.region_name`*::
+
--
type: keyword

Region name.


--

*`source.geo.city_name`*::
+
--
type: keyword

City name.


--

*`source.geo.region_iso_code`*::
+
--
type: keyword

Region ISO code.


--

[float]
Expand Down
2 changes: 1 addition & 1 deletion auditbeat/include/fields.go
View file
Open in desktop

Large diffs are not rendered by default.

6 changes: 0 additions & 6 deletions auditbeat/module/auditd/_meta/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,12 +103,6 @@
type: group
description: Source that triggered the event.
fields:
- name: ip
type: ip
description: The remote address.
- name: port
type: keyword
description: The port number.
- name: hostname
type: keyword
description: Hostname of the source.
Expand Down
40 changes: 40 additions & 0 deletions dev-tools/ecs-migration.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,43 @@
to: agent.version
alias: true
copy_to: false

- from: source_ecs.ip
to: source.ip
alias: true
copy_to: false

- from: source_ecs.port
to: source.port
alias: true
copy_to: false

- from: source_ecs.geo.continent_name
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needlessly verbose, IMO. What about the following?

- from: source_ecs.geo
  to: source.geo

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know how ecs-migration.yml will be used so I can't say for sure whether this is needlessly verbose. But if I can speculate, I think the level of detail here is appropriate if this will be used to create aliases because aliases must target concrete fields, not objects like source.geo.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point

to: source.geo.continent_name
alias: true
copy_to: false

- from: source_ecs.geo.country_iso_code
to: source.geo.country_iso_code
alias: true
copy_to: false

- from: source_ecs.geo.location
to: source.geo.location
alias: true
copy_to: false

- from: source_ecs.geo.region_name
to: source.geo.region_name
alias: true
copy_to: false

- from: source_ecs.geo.city_name
to: source.geo.city_name
alias: true
copy_to: false

- from: source_ecs.geo.region_iso_code
to: source.geo.region_iso_code
alias: true
copy_to: false
Loading