Skip to content

Commit

Permalink
Convert Packetbeat Flows to ECS (#9121)
Browse files Browse the repository at this point in the history 
* Update ECS fields

Updating schema to commit 349406f59e5c7c80a20c9f213370d2601b73f040.

Some fields were removed so I added placeholder fields with TODO statements. Those fields can be removed after modules using the fields are updated accordingly.

* Convert Packetbeat Flows to ECS

The makes changes to the event format generated by Packetbeat's flow feature.

Field Changes

- type -> event.type
- transport -> network.transport
- flow_id -> flow.id
- final -> flow.final
- vlan -> flow.vlan
- start_time -> event.start
- last_time -> event.end
- source.stats.net_bytes_total -> source.bytes
- source.stats.net_packets_total -> source.packets
- dest.stats.net_bytes_total -> destination.bytes
- dest.stats.net_packets_total -> destination.packets

Added
- network.bytes
- network.packets
- event.duration

Frames with multiple levels of encapsulation like 802.1q with "Q-in-Q" will result in certain fields becoming an array with the outer most metadata being listed first (e.g. source.ip, destination.ip, flow.vlan).

Any dashboards associated with flows are not updated in this change.

Part of #7968.
  • Loading branch information
@andrewkroh
andrewkroh authored Dec 12, 2018
1 parent 267c76e commit 66a9525
Show file tree
Hide file tree
Showing 31 changed files with 11,898 additions and 3,569 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha1...master[Check the HEAD d

*Packetbeat*

- Renamed the flow event fields to follow Elastic Common Schema. {pull}9121[9121]

*Winlogbeat*

*Functionbeat*
Expand Down
Loading

0 comments on commit 66a9525

Please sign in to comment.