Skip to content

Revised Network Metrics #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Revised Network Metrics #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ All notable changes to this project will be documented in this file based on the
## [Unreleased](https://github.com/elastic/ecs/compare/0.1.0...master)

### Breaking changes
- Replaced network.inbound/outbound with less ambigious network.transfer.

### Bugfixes

Expand Down
7 changes: 2 additions & 5 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,12 +271,9 @@ All fields related to network data.
| Field | Description | Type | Multi Field | Example |
|---|---|---|---|---|
| <a name="network.protocol"></a>`network.protocol` | Network protocol name. | keyword | | `http` |
| <a name="network.direction"></a>`network.direction` | Direction of the network traffic.<br/>The recommended values are:<br/> * inbound<br/> * outbound<br/> * unknown | keyword | | `inbound` |
| <a name="network.forwarded_ip"></a>`network.forwarded_ip` | forwarded_ip indicates the host IP address when the source IP address is the proxy. | ip | | `192.1.1.2` |
| <a name="network.inbound.bytes"></a>`network.inbound.bytes` | Network inbound bytes. | long | | `184` |
| <a name="network.inbound.packets"></a>`network.inbound.packets` | Network inbound packets. | long | | `12` |
| <a name="network.outbound.bytes"></a>`network.outbound.bytes` | Network outbound bytes. | long | | `184` |
| <a name="network.outbound.packets"></a>`network.outbound.packets` | Network outbound packets. | long | | `12` |
| <a name="network.transfer.bytes"></a>`network.transfer.bytes` | Network bytes transferred.<br/>Typically used with netflow, sflow, or cloud provider flow logs | long | | `184` |
| <a name="network.transfer.packets"></a>`network.transfer.packets` | Network packets transferred.<br/>Typically used with netflow, sflow, or cloud provider flow logs | long | | `12` |


## <a name="organization"></a> Organization fields
Expand Down
7 changes: 2 additions & 5 deletions schema.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,13 +86,10 @@ kubernetes.pod.name,keyword,0,
log.level,keyword,0,ERR
log.line,long,0,18
log.offset,long,0,12
network.direction,keyword,0,inbound
network.forwarded_ip,ip,0,192.1.1.2
network.inbound.bytes,long,0,184
network.inbound.packets,long,0,12
network.outbound.bytes,long,0,184
network.outbound.packets,long,0,12
network.protocol,keyword,0,http
network.transfer.bytes,long,0,184
network.transfer.packets,long,0,12
organization.id,keyword,0,
organization.name,text,0,
process.args,keyword,0,"['-l', 'user', '10.0.0.16']"
Expand Down
32 changes: 8 additions & 24 deletions schemas/network.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,6 @@
description: >
Network protocol name.
example: http
- name: direction
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this field we still need?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ruflin src and dest are explicit in the direction. This is redundant imo.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a convention field to filter on. We for example use it here in auditbeat: https://github.com/elastic/beats/blob/master/auditbeat/module/auditd/_meta/fields.yml#L162

@andrewkroh can perhaps share some more background here?

type: keyword
description: >
Direction of the network traffic.

The recommended values are:
* inbound
* outbound
* unknown
example: inbound

- name: forwarded_ip
type: ip
Expand All @@ -29,23 +19,17 @@
example: 192.1.1.2

# Metrics
- name: inbound.bytes
type: long
description: >
Network inbound bytes.
example: 184
- name: inbound.packets
type: long
description: >
Network inbound packets.
example: 12
- name: outbound.bytes
- name: transfer.bytes
type: long
description: >
Network outbound bytes.
Network bytes transferred.

Typically used with netflow, sflow, or cloud provider flow logs
example: 184
- name: outbound.packets
- name: transfer.packets
type: long
description: >
Network outbound packets.
Network packets transferred.

Typically used with netflow, sflow, or cloud provider flow logs
example: 12
22 changes: 4 additions & 18 deletions template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -445,24 +445,14 @@
},
"network": {
"properties": {
"direction": {
"ignore_above": 1024,
"type": "keyword"
},
"forwarded_ip": {
"type": "ip"
},
"inbound": {
"properties": {
"bytes": {
"type": "long"
},
"packets": {
"type": "long"
}
}
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"outbound": {
"transfer": {
"properties": {
"bytes": {
"type": "long"
Expand All @@ -471,10 +461,6 @@
"type": "long"
}
}
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
Expand Down