Skip to content

Adds .cidr and .netmask #111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

Adds .cidr and .netmask #111

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6afcf46
Adds network.cidr and network.netmask
Sep 4, 2018
4fe7420
Adds cidr and netmask to source and destionation
Sep 4, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,8 @@ Destination fields describe details about the destination of a packet/event.
| Field | Description | Type | Multi Field | Example |
|---|---|---|---|---|
| <a name="destination.ip"></a>destination.ip | IP address of the destination.<br/>Can be one or multiple IPv4 or IPv6 addresses. | ip | | |
| <a name="destination.cidr"></a>destination.cidr | CIDR of the destination IP address | ip | | |
| <a name="destination.netmask"></a>destination.netmask | Netmask of the destination IP address | ip | | |
| <a name="destination.hostname"></a>destination.hostname | Hostname of the destination. | keyword | | |
| <a name="destination.port"></a>destination.port | Port of the destination. | long | | |
| <a name="destination.mac"></a>destination.mac | MAC address of the destination. | keyword | | |
Expand Down Expand Up @@ -291,6 +293,8 @@ Fields related to network data.
| <a name="network.protocol"></a>network.protocol | Network protocol name. | keyword | | `http` |
| <a name="network.direction"></a>network.direction | Direction of the network traffic.<br/>Recommended values are:<br/> * inbound<br/> * outbound<br/> * unknown | keyword | | `inbound` |
| <a name="network.forwarded_ip"></a>network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | | `192.1.1.2` |
| <a name="network.cidr"></a>network.cidr | CIDR range of a network. Commonly used in DHCP logs. | ip | | `10.0.0.0/8` |
| <a name="network.netmask"></a>network.netmask | Netmask of a network | ip | | `255.255.255.0` |
| <a name="network.inbound.bytes"></a>network.inbound.bytes | Network inbound bytes. | long | | `184` |
| <a name="network.inbound.packets"></a>network.inbound.packets | Network inbound packets. | long | | `12` |
| <a name="network.outbound.bytes"></a>network.outbound.bytes | Network outbound bytes. | long | | `184` |
Expand Down Expand Up @@ -361,6 +365,8 @@ Source fields describe details about the source of the event.
| Field | Description | Type | Multi Field | Example |
|---|---|---|---|---|
| <a name="source.ip"></a>source.ip | IP address of the source.<br/>Can be one or multiple IPv4 or IPv6 addresses. | ip | | |
| <a name="source.cidr"></a>source.cidr | CIDR of the source IP address | ip | | |
| <a name="source.netmask"></a>source.netmask | Netmask of the source IP address | ip | | |
| <a name="source.hostname"></a>source.hostname | Hostname of the source. | keyword | | |
| <a name="source.port"></a>source.port | Port of the source. | long | | |
| <a name="source.mac"></a>source.mac | MAC address of the source. | keyword | | |
Expand Down
29 changes: 29 additions & 0 deletions fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,14 @@
IP address of the destination.

Can be one or multiple IPv4 or IPv6 addresses.
- name: cidr
type: ip
Copy link
Contributor

@webmat webmat Sep 5, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Each .cidr field should actually be of type ip_range [1], not ip [2]. You can search an ip field with a CIDR range, but you can't store a range directly in it.

If you want to play with these in a Kibana console:

PUT ip_test
{ "mappings": {
    "_doc": {
      "properties": {
        "address": {
          "type": "ip"
        },
        "range": {
          "type": "ip_range"
}}}}}

PUT ip_test/_doc/1
{ "address": "127.0.0.1" }
PUT ip_test/_doc/2
{ "address": "::1" }
PUT ip_test/_doc/3
{ "address": "255.255.255.0" }
# Fails:
PUT ip_test/_doc/4
{ "address": "10.0.0.0/8" }
PUT ip_test/_doc/4
{ "range": "10.0.0.0/8" }
# Fails:
PUT ip_test/_doc/5
{ "range": "255.255.255.0" }

GET ip_test/_search
DELETE ip_test

description: >
CIDR of the destination IP address
- name: netmask
type: ip
description: >
Netmask of the destination IP address
- name: hostname
type: keyword
description: >
Expand Down Expand Up @@ -774,6 +782,7 @@
description: >
Network protocol name.
example: http

- name: direction
type: keyword
description: >
Expand All @@ -791,6 +800,18 @@
Host IP address when the source IP address is the proxy.
example: 192.1.1.2

- name: cidr
type: ip
description: >
CIDR range of a network. Commonly used in DHCP logs.
example: 10.0.0.0/8

- name: netmask
type: ip
description: >
Netmask of a network
example: 255.255.255.0

# Metrics
- name: inbound.bytes
type: long
Expand Down Expand Up @@ -995,6 +1016,14 @@
IP address of the source.

Can be one or multiple IPv4 or IPv6 addresses.
- name: cidr
type: ip
description: >
CIDR of the source IP address
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add examples as you did in the others above?

Nit: Please add dots at the end of the descriptions as it will show up like this in the docs.

- name: netmask
type: ip
description: >
Netmask of the source IP address
- name: hostname
type: keyword
description: >
Expand Down
6 changes: 6 additions & 0 deletions schema.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,12 @@ container.image.tag,keyword,0,
container.labels,object,0,
container.name,keyword,0,
container.runtime,keyword,0,docker
destination.cidr,ip,0,
destination.domain,keyword,1,
destination.hostname,keyword,0,
destination.ip,ip,0,
destination.mac,keyword,0,
destination.netmask,ip,0,
destination.port,long,0,
destination.subdomain,keyword,1,
device.hostname,keyword,0,
Expand Down Expand Up @@ -94,11 +96,13 @@ log.level,keyword,0,ERR
log.line,long,0,18
log.offset,long,0,12
log.original,keyword,1,Sep 19 08:26:10 localhost My log
network.cidr,ip,0,10.0.0.0/8
network.direction,keyword,0,inbound
network.forwarded_ip,ip,0,192.1.1.2
network.inbound.bytes,long,0,184
network.inbound.packets,long,0,12
network.name,text,0,Guest Wifi
network.netmask,ip,0,255.255.255.0
network.outbound.bytes,long,0,184
network.outbound.packets,long,0,12
network.protocol,keyword,0,http
Expand All @@ -122,10 +126,12 @@ service.name,keyword,1,elasticsearch
service.state,keyword,1,
service.type,keyword,1,
service.version,keyword,1,3.2.4
source.cidr,ip,0,
source.domain,keyword,1,
source.hostname,keyword,0,
source.ip,ip,0,
source.mac,keyword,1,
source.netmask,ip,0,
source.port,long,1,
source.subdomain,keyword,1,
tls.certificates,keyword,0,
Expand Down
8 changes: 8 additions & 0 deletions schemas/destination.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,14 @@
IP address of the destination.

Can be one or multiple IPv4 or IPv6 addresses.
- name: cidr
type: ip
description: >
CIDR of the destination IP address
- name: netmask
type: ip
description: >
Netmask of the destination IP address
- name: hostname
type: keyword
description: >
Expand Down
13 changes: 13 additions & 0 deletions schemas/network.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
description: >
Network protocol name.
example: http

- name: direction
type: keyword
description: >
Expand All @@ -39,6 +40,18 @@
Host IP address when the source IP address is the proxy.
example: 192.1.1.2

- name: cidr
type: ip
description: >
CIDR range of a network. Commonly used in DHCP logs.
example: 10.0.0.0/8

- name: netmask
type: ip
description: >
Netmask of a network
example: 255.255.255.0

# Metrics
- name: inbound.bytes
type: long
Expand Down
8 changes: 8 additions & 0 deletions schemas/source.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,14 @@
IP address of the source.

Can be one or multiple IPv4 or IPv6 addresses.
- name: cidr
type: ip
description: >
CIDR of the source IP address
- name: netmask
type: ip
description: >
Netmask of the source IP address
- name: hostname
type: keyword
description: >
Expand Down
19 changes: 19 additions & 0 deletions template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,9 @@
},
"destination": {
"properties": {
"cidr": {
"type": "ip"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
Expand All @@ -135,6 +138,9 @@
"ignore_above": 1024,
"type": "keyword"
},
"netmask": {
"type": "ip"
},
"port": {
"type": "long"
},
Expand Down Expand Up @@ -495,6 +501,9 @@
},
"network": {
"properties": {
"cidr": {
"type": "ip"
},
"direction": {
"ignore_above": 1024,
"type": "keyword"
Expand Down Expand Up @@ -522,6 +531,9 @@
"norms": false,
"type": "text"
},
"netmask": {
"type": "ip"
},
"outbound": {
"properties": {
"bytes": {
Expand Down Expand Up @@ -636,6 +648,9 @@
},
"source": {
"properties": {
"cidr": {
"type": "ip"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
Expand All @@ -651,6 +666,9 @@
"ignore_above": 1024,
"type": "keyword"
},
"netmask": {
"type": "ip"
},
"port": {
"type": "long"
},
Expand All @@ -668,6 +686,7 @@
"properties": {
"certificates": {
"doc_values": false,
"ignore_above": 1024,
"type": "keyword"
},
"ciphersuite": {
Expand Down