Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rename source_ecs to source #8983

Merged
merged 3 commits into from
Nov 9, 2018
Merged

Rename source_ecs to source #8983

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3eb2749
Rename source_ecs to source
andrewkroh Nov 7, 2018
64dbd42
Remove source.hostname and destination.hostname
andrewkroh Nov 8, 2018
e3e0b7c
Update dashboard to remove source_ecs
andrewkroh Nov 9, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ https://github.com/elastic/beats/compare/v6.4.0...master[Check the HEAD diff]
- Rename source to log.file.path and log.source.ip {pull}8902[8902]
- Remove the deprecated `prospector(s)` option in the configuration use `input(s)` instead. {pull}8909[8909]
- Rename `offset` to `log.offset`. {pull}8923[8923]
- Rename `source_ecs` to `source` in the Filebeat Suricata module. {pull}8983[8983]

*Heartbeat*

Expand Down
85 changes: 58 additions & 27 deletions auditbeat/docs/fields.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,33 +282,6 @@ The current working directory.
Source that triggered the event.


*`source.ip`*::
+
--
type: ip

The remote address.

--

*`source.port`*::
+
--
type: keyword

The port number.

--

*`source.hostname`*::
+
--
type: keyword

Hostname of the source.

--

*`source.path`*::
+
--
Expand Down Expand Up @@ -4245,6 +4218,64 @@ Ephemeral identifier of this service (if one exists).
This id normally changes across restarts, but `service.id` does not.


--

[float]
== source fields

Source fields describe details about the source of the event.



*`source.ip`*::
+
--
type: ip

IP address of the source.
Can be one or multiple IPv4 or IPv6 addresses.


--

*`source.hostname`*::
+
--
type: keyword

Hostname of the source.


--

*`source.port`*::
+
--
type: long

Port of the source.


--

*`source.mac`*::
+
--
type: keyword

MAC address of the source.


--

*`source.domain`*::
+
--
type: keyword

Source domain.


--

[float]
Expand Down
2 changes: 1 addition & 1 deletion auditbeat/include/fields.go
View file
Open in desktop

Large diffs are not rendered by default.

9 changes: 0 additions & 9 deletions auditbeat/module/auditd/_meta/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,15 +103,6 @@
type: group
description: Source that triggered the event.
fields:
- name: ip
type: ip
description: The remote address.
- name: port
type: keyword
description: The port number.
- name: hostname
type: keyword
description: Hostname of the source.
- name: path
type: keyword
description: This is the path associated with a unix socket.
Expand Down
40 changes: 40 additions & 0 deletions dev-tools/ecs-migration.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,43 @@
to: agent.version
alias: true
copy_to: false

- from: source_ecs.ip
to: source.ip
alias: true
copy_to: false

- from: source_ecs.port
to: source.port
alias: true
copy_to: false

- from: source_ecs.geo.continent_name
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needlessly verbose, IMO. What about the following?

- from: source_ecs.geo
  to: source.geo

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know how ecs-migration.yml will be used so I can't say for sure whether this is needlessly verbose. But if I can speculate, I think the level of detail here is appropriate if this will be used to create aliases because aliases must target concrete fields, not objects like source.geo.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point

to: source.geo.continent_name
alias: true
copy_to: false

- from: source_ecs.geo.country_iso_code
to: source.geo.country_iso_code
alias: true
copy_to: false

- from: source_ecs.geo.location
to: source.geo.location
alias: true
copy_to: false

- from: source_ecs.geo.region_name
to: source.geo.region_name
alias: true
copy_to: false

- from: source_ecs.geo.city_name
to: source.geo.city_name
alias: true
copy_to: false

- from: source_ecs.geo.region_iso_code
to: source.geo.region_iso_code
alias: true
copy_to: false
12 changes: 1 addition & 11 deletions filebeat/_meta/fields.common.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,19 +92,9 @@
description: >
Content length of the HTTP response body.

- name: source_ecs
- name: source
type: group
fields:
- name: ip
type: ip
description: >
IP address of the source.

- name: port
type: long
description: >
Port of the source.

- name: geo
type: group
description:
Expand Down
90 changes: 64 additions & 26 deletions filebeat/docs/fields.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2275,6 +2275,64 @@ Ephemeral identifier of this service (if one exists).
This id normally changes across restarts, but `service.id` does not.


--

[float]
== source fields

Source fields describe details about the source of the event.



*`source.ip`*::
+
--
type: ip

IP address of the source.
Can be one or multiple IPv4 or IPv6 addresses.


--

*`source.hostname`*::
+
--
type: keyword

Hostname of the source.


--

*`source.port`*::
+
--
type: long

Port of the source.


--

*`source.mac`*::
+
--
type: keyword

MAC address of the source.


--

*`source.domain`*::
+
--
type: keyword

Source domain.


--

[float]
Expand Down Expand Up @@ -4776,33 +4834,13 @@ Content length of the HTTP response body.
--


*`source_ecs.ip`*::
+
--
type: ip

IP address of the source.


--

*`source_ecs.port`*::
+
--
type: long

Port of the source.


--

[float]
== geo fields

Geolocation for source.


*`source_ecs.geo.continent_name`*::
*`source.geo.continent_name`*::
+
--
type: keyword
Expand All @@ -4812,7 +4850,7 @@ Name of the continent.

--

*`source_ecs.geo.country_iso_code`*::
*`source.geo.country_iso_code`*::
+
--
type: keyword
Expand All @@ -4822,7 +4860,7 @@ Country ISO code.

--

*`source_ecs.geo.location`*::
*`source.geo.location`*::
+
--
type: geo_point
Expand All @@ -4832,7 +4870,7 @@ Longitude and latitude.

--

*`source_ecs.geo.region_name`*::
*`source.geo.region_name`*::
+
--
type: keyword
Expand All @@ -4842,7 +4880,7 @@ Region name.

--

*`source_ecs.geo.city_name`*::
*`source.geo.city_name`*::
+
--
type: keyword
Expand All @@ -4852,7 +4890,7 @@ City name.

--

*`source_ecs.geo.region_iso_code`*::
*`source.geo.region_iso_code`*::
+
--
type: keyword
Expand Down
2 changes: 1 addition & 1 deletion filebeat/include/fields.go
View file
Open in desktop

Large diffs are not rendered by default.

58 changes: 58 additions & 0 deletions heartbeat/docs/fields.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1810,6 +1810,64 @@ Ephemeral identifier of this service (if one exists).
This id normally changes across restarts, but `service.id` does not.


--

[float]
== source fields

Source fields describe details about the source of the event.



*`source.ip`*::
+
--
type: ip

IP address of the source.
Can be one or multiple IPv4 or IPv6 addresses.


--

*`source.hostname`*::
+
--
type: keyword

Hostname of the source.


--

*`source.port`*::
+
--
type: long

Port of the source.


--

*`source.mac`*::
+
--
type: keyword

MAC address of the source.


--

*`source.domain`*::
+
--
type: keyword

Source domain.


--

[float]
Expand Down
Loading