forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
source.yml
87 lines (72 loc) · 2.14 KB
/
source.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
---
- name: source
title: Source
group: 2
short: Fields about the source side of a network connection, used with destination.
description: >
Source fields describe details about the source of a packet/event.
Source fields are usually populated in conjunction with destination fields.
type: group
fields:
- name: address
level: extended
type: keyword
short: Source network address.
description: >
Some event source addresses are defined ambiguously. The event will
sometimes list an IP, a domain or a unix socket. You should always
store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which
one it is.
- name: ip
level: core
type: ip
short: IP address of the source.
description: >
IP address of the source.
Can be one or multiple IPv4 or IPv6 addresses.
- name: port
format: string
level: core
type: long
description: >
Port of the source.
- name: mac
level: core
type: keyword
description: >
MAC address of the source.
- name: domain
level: core
type: keyword
description: >
Source domain.
# Metrics
- name: bytes
format: bytes
level: core
type: long
example: 184
description: >
Bytes sent from the source to the destination.
- name: packets
level: core
type: long
example: 12
description: >
Packets sent from the source to the destination.
- name: nat.ip
level: extended
type: ip
short: Source NAT ip
description: >
Translated ip of source based NAT sessions (e.g. internal client to internet)
Typically connections traversing load balancers, firewalls, or routers.
- name: nat.port
format: string
level: extended
type: long
short: Source NAT port
description: >
Translated port of source based NAT sessions. (e.g. internal client to internet)
Typically used with load balancers, firewalls, or routers.