elastic · webmat · May 27, 2019 · May 24, 2019 · May 24, 2019 · May 24, 2019
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -12,6 +12,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 - Update to Golang 1.12.1. {pull}11330[11330]
 - Update to Golang 1.12.4. {pull}11782[11782]
+- Update to ECS 1.0.1. {pull}12284[12284]
 
 *Auditbeat*
 

diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
@@ -3055,7 +3055,7 @@ Version of the agent.
 == client fields
 
 A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records.
-For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields.  Client fields are generally not populated for packet-level events.
+For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events.
 Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
 
 
@@ -3216,6 +3216,8 @@ Packets sent from the client to the server.
 --
 type: long
 
+format: string
+
 Port of the client.
 
 --
@@ -3597,6 +3599,8 @@ Packets sent from the destination to the source.
 --
 type: long
 
+format: string
+
 Port of the destination.
 
 --
@@ -3895,6 +3899,8 @@ type: long
 
 example: 7
 
+format: string
+
 Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events.
 
 --
@@ -4598,6 +4604,8 @@ type: long
 
 example: 404
 
+format: string
+
 HTTP response status code.
 
 --
@@ -5163,6 +5171,10 @@ Sometimes called program name or similar.
 --
 type: long
 
+example: 4242
+
+format: string
+
 Process id.
 
 --
@@ -5172,7 +5184,11 @@ Process id.
 --
 type: long
 
-Process parent id.
+example: 4241
+
+format: string
+
+Parent process' pid.
 
 --
 
@@ -5194,6 +5210,8 @@ type: long
 
 example: 4242
 
+format: string
+
 Thread ID.
 
 --
@@ -5401,6 +5419,8 @@ Packets sent from the server to the client.
 --
 type: long
 
+format: string
+
 Port of the server.
 
 --
@@ -5717,6 +5737,8 @@ Packets sent from the source to the destination.
 --
 type: long
 
+format: string
+
 Port of the source.
 
 --
@@ -5866,6 +5888,8 @@ type: long
 
 example: 443
 
+format: string
+
 Port of the request, such as 443.
 
 --

diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -1608,7 +1608,7 @@ Version of the agent.
 == client fields
 
 A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records.
-For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields.  Client fields are generally not populated for packet-level events.
+For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events.
 Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
 
 
@@ -1769,6 +1769,8 @@ Packets sent from the client to the server.
 --
 type: long
 
+format: string
+
 Port of the client.
 
 --
@@ -2150,6 +2152,8 @@ Packets sent from the destination to the source.
 --
 type: long
 
+format: string
+
 Port of the destination.
 
 --
@@ -2448,6 +2452,8 @@ type: long
 
 example: 7
 
+format: string
+
 Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events.
 
 --
@@ -3151,6 +3157,8 @@ type: long
 
 example: 404
 
+format: string
+
 HTTP response status code.
 
 --
@@ -3716,6 +3724,10 @@ Sometimes called program name or similar.
 --
 type: long
 
+example: 4242
+
+format: string
+
 Process id.
 
 --
@@ -3725,7 +3737,11 @@ Process id.
 --
 type: long
 
-Process parent id.
+example: 4241
+
+format: string
+
+Parent process' pid.
 
 --
 
@@ -3747,6 +3763,8 @@ type: long
 
 example: 4242
 
+format: string
+
 Thread ID.
 
 --
@@ -3954,6 +3972,8 @@ Packets sent from the server to the client.
 --
 type: long
 
+format: string
+
 Port of the server.
 
 --
@@ -4270,6 +4290,8 @@ Packets sent from the source to the destination.
 --
 type: long
 
+format: string
+
 Port of the source.
 
 --
@@ -4419,6 +4441,8 @@ type: long
 
 example: 443
 
+format: string
+
 Port of the request, such as 443.
 
 --

diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go
@@ -478,7 +478,7 @@ Version of the agent.
 == client fields
 
 A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records.
-For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields.  Client fields are generally not populated for packet-level events.
+For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events.
 Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
 
 
@@ -639,6 +639,8 @@ Packets sent from the client to the server.
 --
 type: long
 
+format: string
+
 Port of the client.
 
 --
@@ -1020,6 +1022,8 @@ Packets sent from the destination to the source.
 --
 type: long
 
+format: string
+
 Port of the destination.
 
 --
@@ -1318,6 +1322,8 @@ type: long
 
 example: 7
 
+format: string
+
 Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events.
 
 --
@@ -2021,6 +2027,8 @@ type: long
 
 example: 404
 
+format: string
+
 HTTP response status code.
 
 --
@@ -2586,6 +2594,10 @@ Sometimes called program name or similar.
 --
 type: long
 
+example: 4242
+
+format: string
+
 Process id.
 
 --
@@ -2595,7 +2607,11 @@ Process id.
 --
 type: long
 
-Process parent id.
+example: 4241
+
+format: string
+
+Parent process' pid.
 
 --
 
@@ -2617,6 +2633,8 @@ type: long
 
 example: 4242
 
+format: string
+
 Thread ID.
 
 --
@@ -2824,6 +2842,8 @@ Packets sent from the server to the client.
 --
 type: long
 
+format: string
+
 Port of the server.
 
 --
@@ -3140,6 +3160,8 @@ Packets sent from the source to the destination.
 --
 type: long
 
+format: string
+
 Port of the source.
 
 --
@@ -3289,6 +3311,8 @@ type: long
 
 example: 443
 
+format: string
+
 Port of the request, such as 443.
 
 --