Convert Packetbeat Flows to ECS #9121
Conversation
andrewkroh
added
in progress
| "start": "2018-11-15T14:41:21.000Z", | ||
| "type": "flow" | ||
| }, | ||
| "flow": { |
|
I wonder if we should have a second file besides |
|
This has been updated based on the proposed changes in elastic/ecs#179. |
andrewkroh
force-pushed
the
feature/pb/ecs-flows
branch
from
29676e0 to
5fee60a
Compare
|
@andrewkroh Should in your PR description above |
andrewkroh
force-pushed
the
feature/pb/ecs-flows
branch
from
d8db504 to
ace9b93
Compare
Good catch. I fixed it in the description and the commit message. I squashed the existing commits and rebased on master. |
andrewkroh
force-pushed
the
feature/pb/ecs-flows
branch
from
ace9b93 to
6e87f68
Compare
|
Pinging @elastic/secops |
@ruflin None of these fields changes are being back-ported. |
|
@andrewkroh As the above migrated fields are all 1-1 mappings, should we introduce aliases for it in 6.x? |
|
@ruflin Good idea. I'll added a checklist item to the parent issue for adding alias. I think it would make sense to look at the whole list of changes made for 7.0 then open a single PR to add all the alias we desire for Packetbeat to the 6.x branch. |
andrewkroh
force-pushed
the
feature/pb/ecs-flows
branch
from
6e87f68 to
8c2fc44
Compare
Updating schema to commit 349406f59e5c7c80a20c9f213370d2601b73f040. Some fields were removed so I added placeholder fields with TODO statements. Those fields can be removed after modules using the fields are updated accordingly.
The makes changes to the event format generated by Packetbeat's flow feature. Field Changes - type -> event.type - transport -> network.transport - flow_id -> flow.id - final -> flow.final - vlan -> flow.vlan - start_time -> event.start - last_time -> event.end - source.stats.net_bytes_total -> source.bytes - source.stats.net_packets_total -> source.packets - dest.stats.net_bytes_total -> destination.bytes - dest.stats.net_packets_total -> destination.packets Added - network.bytes - network.packets - event.duration Frames with multiple levels of encapsulation like 802.1q with "Q-in-Q" will result in certain fields becoming an array with the outer most metadata being listed first (e.g. source.ip, destination.ip, flow.vlan). Any dashboards associated with flows are not updated in this change. Part of elastic#7968.
andrewkroh
force-pushed
the
feature/pb/ecs-flows
branch
from
25514e9 to
9b8c4d7
Compare
|
@ruflin I rebased this since it’s been in existence for a while. Can you please take another look? What changed?
|
| @@ -34,22 +34,22 @@ def test_mysql_flow(self): | |||
| pprint(objs) | |||
There was a problem hiding this comment.
What is this new pcap file just above (can't comment there)? Is that intentional in this PR?
| @@ -97,6 +118,125 @@ | |||
| different values which are then freely searchable. If multiple | |||
| messages exist, they can be combined into one message. | |||
|
|
|||
| - name: client | |||
There was a problem hiding this comment.
I'm not fully convinced we should add the full ecs fields yml to each Beat or only add the fields which are used by more then one Beat. We can still clean this up later.
| type: keyword | ||
| description: > | ||
| Unique ID to describe the event. | ||
| example: 8a4f500d | ||
| phase: 1 | ||
|
|
||
| - name: kind |
There was a problem hiding this comment.
The Packetbeat flow changes are not being back-ported to 6.x.
* Update ECS fields Updating schema to commit 349406f59e5c7c80a20c9f213370d2601b73f040. Some fields were removed so I added placeholder fields with TODO statements. Those fields can be removed after modules using the fields are updated accordingly. * Convert Packetbeat Flows to ECS The makes changes to the event format generated by Packetbeat's flow feature. Field Changes - type -> event.type - transport -> network.transport - flow_id -> flow.id - final -> flow.final - vlan -> flow.vlan - start_time -> event.start - last_time -> event.end - source.stats.net_bytes_total -> source.bytes - source.stats.net_packets_total -> source.packets - dest.stats.net_bytes_total -> destination.bytes - dest.stats.net_packets_total -> destination.packets Added - network.bytes - network.packets - event.duration Frames with multiple levels of encapsulation like 802.1q with "Q-in-Q" will result in certain fields becoming an array with the outer most metadata being listed first (e.g. source.ip, destination.ip, flow.vlan). Any dashboards associated with flows are not updated in this change. Part of elastic#7968.
The makes changes to the event format generated by Packetbeat's flow feature.
Sample Event
This is part of #7968.
Field Changes
Added
Frames with multiple levels of encapsulation like 802.1q with "Q-in-Q" will result in certain fields becoming an array with the outer most metadata being listed first (e.g. source.ip, destination.ip, flow.vlan).
Any dashboards associated with flows are not updated in this change.