Skip to content

Commit

Permalink
Add http.[request|response].mime_type (elastic#944) (elastic#949)
Browse files Browse the repository at this point in the history
  • Loading branch information
Mathieu Martin authored Aug 24, 2020
1 parent ab227b3 commit e106899
Show file tree
Hide file tree
Showing 10 changed files with 177 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ Thanks, you're awesome :-) -->
* Added `span.id` to the tracing fieldset, for additional log correlation (#882)
* Added `event.reason` for the reason why an event's outcome or action was taken. #907
* Added `related.hosts` to capture all hostnames and host identifiers on an event. #913
* Added Mime Type fields to HTTP request and response. #944

#### Improvements

Expand Down
14 changes: 14 additions & 0 deletions code/go/ecs/http.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

30 changes: 30 additions & 0 deletions docs/field-details.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -2836,6 +2836,21 @@ example: `GET, POST, PUT, PoST`

// ===============================================================

| http.request.mime_type
| Mime type of the body of the request.

This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients.

type: keyword



example: `image/gif`

| extended

// ===============================================================

| http.request.referrer
| Referrer for this HTTP request.

Expand Down Expand Up @@ -2894,6 +2909,21 @@ example: `1437`

// ===============================================================

| http.response.mime_type
| Mime type of the body of the response.

This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers.

type: keyword



example: `image/gif`

| extended

// ===============================================================

| http.response.status_code
| HTTP response status code.

Expand Down
24 changes: 24 additions & 0 deletions generated/beats/fields.ecs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2317,6 +2317,18 @@
method may be useful in anomaly detection. Original case will be mandated
in ECS 2.0.0'
example: GET, POST, PUT, PoST
- name: request.mime_type
level: extended
type: keyword
ignore_above: 1024
description: 'Mime type of the body of the request.
This value must only be populated based on the content of the request body,
not on the `Content-Type` header. Comparing the mime type of a request with
the request''s Content-Type header can be helpful in detecting threats or
misconfigured clients.'
example: image/gif
default_field: false
- name: request.referrer
level: extended
type: keyword
Expand Down Expand Up @@ -2346,6 +2358,18 @@
format: bytes
description: Total size in bytes of the response (body and headers).
example: 1437
- name: response.mime_type
level: extended
type: keyword
ignore_above: 1024
description: 'Mime type of the body of the response.
This value must only be populated based on the content of the response body,
not on the `Content-Type` header. Comparing the mime type of a response with
the response''s Content-Type header can be helpful in detecting misconfigured
servers.'
example: image/gif
default_field: false
- name: response.status_code
level: extended
type: long
Expand Down
2 changes: 2 additions & 0 deletions generated/csv/fields.csv
Original file line number Diff line number Diff line change
Expand Up @@ -269,11 +269,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
1.7.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
1.7.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
1.7.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
1.7.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
1.7.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
1.7.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
1.7.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body.
1.7.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
1.7.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
1.7.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
1.7.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
1.7.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
1.7.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
Expand Down
30 changes: 30 additions & 0 deletions generated/ecs/ecs_flat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3617,6 +3617,21 @@ http.request.method:
normalize: []
short: HTTP request method.
type: keyword
http.request.mime_type:
dashed_name: http-request-mime-type
description: 'Mime type of the body of the request.
This value must only be populated based on the content of the request body, not
on the `Content-Type` header. Comparing the mime type of a request with the request''s
Content-Type header can be helpful in detecting threats or misconfigured clients.'
example: image/gif
flat_name: http.request.mime_type
ignore_above: 1024
level: extended
name: request.mime_type
normalize: []
short: Mime type of the body of the request.
type: keyword
http.request.referrer:
dashed_name: http-request-referrer
description: Referrer for this HTTP request.
Expand Down Expand Up @@ -3666,6 +3681,21 @@ http.response.bytes:
normalize: []
short: Total size in bytes of the response (body and headers).
type: long
http.response.mime_type:
dashed_name: http-response-mime-type
description: 'Mime type of the body of the response.
This value must only be populated based on the content of the response body, not
on the `Content-Type` header. Comparing the mime type of a response with the response''s
Content-Type header can be helpful in detecting misconfigured servers.'
example: image/gif
flat_name: http.response.mime_type
ignore_above: 1024
level: extended
name: response.mime_type
normalize: []
short: Mime type of the body of the response.
type: keyword
http.response.status_code:
dashed_name: http-response-status-code
description: HTTP response status code.
Expand Down
32 changes: 32 additions & 0 deletions generated/ecs/ecs_nested.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4302,6 +4302,22 @@ http:
normalize: []
short: HTTP request method.
type: keyword
http.request.mime_type:
dashed_name: http-request-mime-type
description: 'Mime type of the body of the request.
This value must only be populated based on the content of the request body,
not on the `Content-Type` header. Comparing the mime type of a request with
the request''s Content-Type header can be helpful in detecting threats or
misconfigured clients.'
example: image/gif
flat_name: http.request.mime_type
ignore_above: 1024
level: extended
name: request.mime_type
normalize: []
short: Mime type of the body of the request.
type: keyword
http.request.referrer:
dashed_name: http-request-referrer
description: Referrer for this HTTP request.
Expand Down Expand Up @@ -4351,6 +4367,22 @@ http:
normalize: []
short: Total size in bytes of the response (body and headers).
type: long
http.response.mime_type:
dashed_name: http-response-mime-type
description: 'Mime type of the body of the response.
This value must only be populated based on the content of the response body,
not on the `Content-Type` header. Comparing the mime type of a response with
the response''s Content-Type header can be helpful in detecting misconfigured
servers.'
example: image/gif
flat_name: http.response.mime_type
ignore_above: 1024
level: extended
name: response.mime_type
normalize: []
short: Mime type of the body of the response.
type: keyword
http.response.status_code:
dashed_name: http-response-status-code
description: HTTP response status code.
Expand Down
8 changes: 8 additions & 0 deletions generated/elasticsearch/6/template.json
Original file line number Diff line number Diff line change
Expand Up @@ -1262,6 +1262,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"referrer": {
"ignore_above": 1024,
"type": "keyword"
Expand Down Expand Up @@ -1290,6 +1294,10 @@
"bytes": {
"type": "long"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"status_code": {
"type": "long"
}
Expand Down
8 changes: 8 additions & 0 deletions generated/elasticsearch/7/template.json
Original file line number Diff line number Diff line change
Expand Up @@ -1261,6 +1261,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"referrer": {
"ignore_above": 1024,
"type": "keyword"
Expand Down Expand Up @@ -1289,6 +1293,10 @@
"bytes": {
"type": "long"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"status_code": {
"type": "long"
}
Expand Down
28 changes: 28 additions & 0 deletions schemas/http.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,20 @@
example: GET, POST, PUT, PoST

- name: request.mime_type
level: extended
type: keyword
short: Mime type of the body of the request.
description: >
Mime type of the body of the request.
This value must only be populated based on the content of the request
body, not on the `Content-Type` header. Comparing the mime type of a
request with the request's Content-Type header can be helpful in detecting
threats or misconfigured clients.
example: image/gif

- name: request.body.content
level: extended
type: keyword
Expand All @@ -51,6 +65,20 @@
HTTP response status code.
example: 404

- name: response.mime_type
level: extended
type: keyword
short: Mime type of the body of the response.
description: >
Mime type of the body of the response.
This value must only be populated based on the content of the response
body, not on the `Content-Type` header. Comparing the mime type of a
response with the response's Content-Type header can be helpful in detecting
misconfigured servers.
example: image/gif

- name: response.body.content
level: extended
type: keyword
Expand Down

0 comments on commit e106899

Please sign in to comment.