ECS software packages and runtime dependencies

CHANGELOG.next.md

@@ -10,6 +10,7 @@ Thanks, you're awesome :-) -->
 ### Bugfixes
 
 ### Added
+* Add support for installed software packages. #532
 
 * Added fields in `log.*` to allow for full Syslog mapping. #525
 * Add group.domain field #547

docs/field-details.asciidoc

@@ -2691,6 +2691,146 @@ Note also that the `os` fields are not expected to be used directly at the top l
 
 
 
+[[ecs-package]]
+=== Package Fields
+
+These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or where
+
+==== Package Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+| package.architecture
+| Package architecture.
+
+type: keyword
+
+example: `runtime`
+
+| extended
+
+// ===============================================================
+
+| package.checksum
+| Checksum of the installed package for verification.
+
+type: keyword
+
+example: `68b329da9893e34099c7d8ad5cb9c940`
+
+| extended
+
+// ===============================================================
+
+| package.description
+| Description of the package.
+
+type: keyword
+
+example: `Open source programming language to build simple/reliable/efficient software.`
+
+| extended
+
+// ===============================================================
+
+| package.install_scope
+| Indicating how the package was installed, e.g. user-local, global.
+
+type: keyword
+
+example: `global`
+
+| extended
+
+// ===============================================================
+
+| package.installed
+| Time when package was installed.
+
+type: date
+
+
+
+| extended
+
+// ===============================================================
+
+| package.license
+| License under which the package was released.
+
+Use a short name, e.g. the license identifier from [SPDX License List](https://spdx.org/licenses/) where possible.
+
+type: keyword
+
+example: `Apache License 2.0`
+
+| extended
+
+// ===============================================================
+
+| package.name
+| Package name
+
+type: keyword
+
+example: `go`
+
+| extended
+
+// ===============================================================
+
+| package.path
+| Path where the package is installed.
+
+type: keyword
+
+example: `/usr/local/Cellar/go/1.12.9/`
+
+| extended
+
+// ===============================================================
+
+| package.size
+| Package size in bytes.
+
+type: long
+
+example: `62231`
+
+| extended
+
+// ===============================================================
+
+| package.type
+| Type of package.
+
+When installed from a package manager, this would contain the package manager name, e.g. RPM, DPKG, Homebrew, NPM.
+
+type: keyword
+
+example: `RPM`
+
+| extended
+
+// ===============================================================
+
+| package.version
+| Package version
+
+type: keyword
+
+example: `1.12.9`
+
+| extended
+
+// ===============================================================
+
+|=====
+
 [[ecs-process]]
 === Process Fields
 

docs/fields.asciidoc

@@ -62,6 +62,8 @@ all fields are defined.
 
 | <<ecs-os,Operating System>> | OS fields contain information about the operating system.
 
+| <<ecs-package,Package>> | These fields contain information about an installed software package.
+
 | <<ecs-process,Process>> | These fields contain information about a process.
 
 | <<ecs-related,Related>> | Fields meant to facilitate pivoting around a piece of data.

generated/beats/fields.ecs.yml

@@ -2019,6 +2019,85 @@
       ignore_above: 1024
       description: Operating system version as a raw string.
       example: 10.14.1
+  - name: package
+    title: Package
+    group: 2
+    description: These fields contain information about an installed software package.
+      It contains general information about a package, such as name, version or size.
+      It also contains installation details, such as time or where
+    type: group
+    fields:
+    - name: architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Package architecture.
+      example: runtime
+    - name: checksum
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Checksum of the installed package for verification.
+      example: 68b329da9893e34099c7d8ad5cb9c940
+    - name: description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Description of the package.
+      example: Open source programming language to build simple/reliable/efficient
+        software.
+    - name: install_scope
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Indicating how the package was installed, e.g. user-local, global.
+      example: global
+    - name: installed
+      level: extended
+      type: date
+      description: Time when package was installed.
+    - name: license
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'License under which the package was released.
+
+        Use a short name, e.g. the license identifier from [SPDX License List](https://spdx.org/licenses/)
+        where possible.'
+      example: Apache License 2.0
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Package name
+      example: go
+    - name: path
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Path where the package is installed.
+      example: /usr/local/Cellar/go/1.12.9/
+    - name: size
+      level: extended
+      type: long
+      format: string
+      description: Package size in bytes.
+      example: 62231
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of package.
+
+        When installed from a package manager, this would contain the package manager
+        name, e.g. RPM, DPKG, Homebrew, NPM.'
+      example: RPM
+    - name: version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Package version
+      example: 1.12.9
   - name: process
     title: Process
     group: 2

generated/csv/fields.csv

@@ -254,6 +254,17 @@ os.kernel,keyword,extended,4.4.0-112-generic,1.2.0-dev
 os.name,keyword,extended,Mac OS X,1.2.0-dev
 os.platform,keyword,extended,darwin,1.2.0-dev
 os.version,keyword,extended,10.14.1,1.2.0-dev
+package.architecture,keyword,extended,runtime,1.2.0-dev
+package.checksum,keyword,extended,68b329da9893e34099c7d8ad5cb9c940,1.2.0-dev
+package.description,keyword,extended,Open source programming language to build simple/reliable/efficient software.,1.2.0-dev
+package.install_scope,keyword,extended,global,1.2.0-dev
+package.installed,date,extended,,1.2.0-dev
+package.license,keyword,extended,Apache License 2.0,1.2.0-dev
+package.name,keyword,extended,go,1.2.0-dev
+package.path,keyword,extended,/usr/local/Cellar/go/1.12.9/,1.2.0-dev
+package.size,long,extended,62231,1.2.0-dev
+package.type,keyword,extended,RPM,1.2.0-dev
+package.version,keyword,extended,1.12.9,1.2.0-dev
 process.args,keyword,extended,"['ssh', '-l', 'user', '10.0.0.16']",1.2.0-dev
 process.executable,keyword,extended,/usr/bin/ssh,1.2.0-dev
 process.hash.md5,keyword,extended,,1.2.0-dev