[Packetbeat] - Change field names to follow ECS #7968
Labels
Comments
39 tasks
This was referenced Nov 30, 2018
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Dec 9, 2018
The makes changes to the event format generated by Packetbeat's flow feature. Field Changes - type -> event.type - transport -> network.transport - flow_id -> flow.id - final -> flow.final - vlan -> flow.vlan - start_time -> event.start - last_time -> event.end - source.stats.net_bytes_total -> source.bytes - source.stats.net_packets_total -> source.packets - dest.stats.net_bytes_total -> destination.bytes - dest.stats.net_packets_total -> destination.packets Added - network.bytes - network.packets - event.duration Frames with multiple levels of encapsulation like 802.1q with "Q-in-Q" will result in certain fields becoming an array with the outer most metadata being listed first (e.g. source.ip, destination.ip, flow.vlan). Any dashboards associated with flows are not updated in this change. Part of elastic#7968.
andrewkroh
added a commit
that referenced
this issue
Dec 12, 2018
* Update ECS fields Updating schema to commit 349406f59e5c7c80a20c9f213370d2601b73f040. Some fields were removed so I added placeholder fields with TODO statements. Those fields can be removed after modules using the fields are updated accordingly. * Convert Packetbeat Flows to ECS The makes changes to the event format generated by Packetbeat's flow feature. Field Changes - type -> event.type - transport -> network.transport - flow_id -> flow.id - final -> flow.final - vlan -> flow.vlan - start_time -> event.start - last_time -> event.end - source.stats.net_bytes_total -> source.bytes - source.stats.net_packets_total -> source.packets - dest.stats.net_bytes_total -> destination.bytes - dest.stats.net_packets_total -> destination.packets Added - network.bytes - network.packets - event.duration Frames with multiple levels of encapsulation like 802.1q with "Q-in-Q" will result in certain fields becoming an array with the outer most metadata being listed first (e.g. source.ip, destination.ip, flow.vlan). Any dashboards associated with flows are not updated in this change. Part of #7968.
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Jan 9, 2019
This updates the DNS protocol to have more closely follow ECS. The DNS tunneling dashboard has been updated to work with the new field names. In order to better interoperate with other data sources the trailing dot has been removed from domain names. For example, previously Packetbeat would produce `dns.question.name:elastic.co.` and now it will simply produce `dns.question.name:elastic.co`. It's a breaking change but it will be make it easier to pivot with other data sources. Part of elastic#7968 Here's a summary of what fields changed. Changed - bytes_in -> source.bytes - bytes_out -> destination.bytes - notes -> error.message - responsetime -> event.duration (unit are now nanoseconds) - transport -> network.transport Added - event.end - event.start - network.bytes - network.community_id - network.protocol = dns - network.transport = udp/tcp - network.type Unchanged Packetbeat Fields - method - dns opcode - query = class {{ dns.question.class }}, type {{ dns.question.type }}, {{ dns.question.name }} - request - text representation of the entire request - response - text representation of the entire response - resource - dns.question.name - status - type = dns (we might remove this since we have event.dataset)
andrewkroh
added a commit
that referenced
this issue
Jan 10, 2019
* Vendor github.com/elastic/ecs/code/go/ecs Update NOTICE * Update DNS protocol to use ECS fields This updates the DNS protocol to have more closely follow ECS. The DNS tunneling dashboard has been updated to work with the new field names. In order to better interoperate with other data sources the trailing dot has been removed from domain names. For example, previously Packetbeat would produce `dns.question.name:elastic.co.` and now it will simply produce `dns.question.name:elastic.co`. It's a breaking change but it will be make it easier to pivot with other data sources. Part of #7968 Here's a summary of what fields changed. Changed - bytes_in -> source.bytes - bytes_out -> destination.bytes - notes -> error.message - responsetime -> event.duration (unit are now nanoseconds) - transport -> network.transport Added - event.end - event.start - network.bytes - network.community_id - network.protocol = dns - network.transport = udp/tcp - network.type Unchanged Packetbeat Fields - method - dns opcode - query = class {{ dns.question.class }}, type {{ dns.question.type }}, {{ dns.question.name }} - request - text representation of the entire request - response - text representation of the entire response - resource - dns.question.name - status - type = dns (we might remove this since we have event.dataset) * Add packetbeat fields to ecs-migration.yml No aliases yet because these fields are still used. * Fix DNS overview dashboard There was an ID collision over the `DNS` ID. * Update dashboards.yml * Send zero value time.Duration With low resolution timers on Windows it's very possible that an event can have an event.duration=0 and we want to send that field when this occurs.
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Jan 10, 2019
That dashboards were updated too. There weren't many changes needed w.r.t. fields but I did update the visualizations and saved searches to include `[Packetbeat]` in their names. I added a python test case for TLS and discovered a few fields that were not documented so I updated the fields docs accordingly. Here's a summary of what fields changed. Part of elastic#7968 Changed - responsetime -> event.duration (unit are now nanoseconds) Added - event.dataset = tls - event.end - event.start - network.community_id - network.protocol = tls - network.type - source.domain (added if there's a SNI value) Unchanged Packetbeat Fields - status - type = http (we might remove this since we have event.dataset)
andrewkroh
added a commit
that referenced
this issue
Jan 14, 2019
* Update TLS protocol to use ECS fields That dashboards were updated too. There weren't many changes needed w.r.t. fields but I did update the visualizations and saved searches to include `[Packetbeat]` in their names. I added a python test case for TLS and discovered a few fields that were not documented so I updated the fields docs accordingly. Here's a summary of what fields changed. Part of #7968 Changed - responsetime -> event.duration (unit are now nanoseconds) Added - event.dataset = tls - event.end - event.start - network.community_id - network.protocol = tls - network.type - source.domain (added if there's a SNI value) Unchanged Packetbeat Fields - status - type = http (we might remove this since we have event.dataset) * Update TLS Session Resume to remove xxx-nope
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Jan 14, 2019
Only a few fields were changed. No dashboards were changed because there are no ICMP specific dashboards. Here's a summary of what fields changed. Part of elastic#7968 Changed - responsetime -> event.duration (unit are now nanoseconds) - bytes_in -> source.bytes - bytes_out -> destination.bytes Added - event.dataset = icmp - event.end - event.start - network.community_id - network.transport = icmp or ipv6-icmp - network.type = ipv4/ipv6 Unchanged Packetbeat Fields - status - type = icmp (we might remove this since we have event.dataset) - path = destination.ip (what is requested, not sure if this still makes sense)
andrewkroh
added a commit
that referenced
this issue
Jan 18, 2019
Here's a summary of what fields changed. Part of #7968 Changed - bytes_in -> source.bytes - bytes_out -> destination.bytes - responsetime -> event.duration (unit are now nanoseconds) Added - source - destination - event.dataset = redis - event.end - event.start - network.community_id - network.transport = tcp - network.protocol = redis - network.bytes - network.type Unchanged Packetbeat Fields - method - resource - path - query - status - type = redis (we might remove this since we have event.dataset)
andrewkroh
added a commit
that referenced
this issue
Jan 18, 2019
That dashboard was updated too. Here's a summary of what fields changed. Part of #7968 Changed - rpc.call_size -> source.bytes - rpc.reply_size -> destination.bytes - rpc.time -> event.duration (unit are now nanoseconds) Added - destination - event.dataset = nfs - event.end - event.start - network.bytes - network.community_id - network.protocol = nfsv4 or nfsv3 - network.transport = tcp - network.type - source - source.domain - set to the caller's RPC machine name Removed - rpc.time_str - Kibana should provide a human-readable form for event.duration rather than each event supplying a string. Unchanged Packetbeat Fields - status - type = nfs (we might remove this since we have event.dataset)
andrewkroh
added a commit
that referenced
this issue
Jan 18, 2019
That dashboard was updated too. Here's a summary of what fields changed. Part of #7968 Changed - bytes_in -> source.bytes - bytes_out -> destination.bytes - notes -> error.message - responsetime -> event.duration (unit are now nanoseconds) Added - destination - event.dataset = mysql - event.end - event.start - network.bytes - network.community_id - network.protocol = mysql - network.transport = tcp - network.type - source Removed - mysql.iserror - It was a boolean that reflected the same information as `status` which uses OK or Error. Unchanged Packetbeat Fields - method - query - params - path - status - type = mysql (we might remove this since we have event.dataset)
andrewkroh
added a commit
that referenced
this issue
Jan 18, 2019
That dashboard was updated too. Here's a summary of what fields changed. Part of #7968 Changed - bytes_in -> source.bytes - bytes_out -> destination.bytes - responsetime -> event.duration (unit are now nanoseconds) Added - destination - event.dataset = mongodb - event.end - event.start - network.bytes - network.community_id - network.protocol = mongodb - network.transport = tcp - network.type - source Removed - mysql.iserror - It was a boolean that reflected the same information as `status` which uses OK or Error. Unchanged Packetbeat Fields - method - resource - query - status - type = mongodb (we might remove this since we have event.dataset)
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Jan 18, 2019
Here's a summary of what fields changed. Part of elastic#7968 Changed - bytes_in -> source.bytes - bytes_out -> destination.bytes - responsetime -> event.duration (unit are now nanoseconds) - transport -> network.transport = udp or tcp Added - destination - event.dataset = memcache - event.end - event.start - network.bytes - network.community_id - network.protocol = memcache - network.type - source Unchanged Packetbeat Fields - status - type = memcache (we might remove this since we have event.dataset)
andrewkroh
added a commit
that referenced
this issue
Jan 21, 2019
Here's a summary of what fields changed. Part of #7968 Changed - bytes_in -> source.bytes - bytes_out -> destination.bytes - responsetime -> event.duration (unit are now nanoseconds) - transport -> network.transport = udp or tcp Added - destination - event.dataset = memcache - event.end - event.start - network.bytes - network.community_id - network.protocol = memcache - network.type - source Unchanged Packetbeat Fields - status - type = memcache (we might remove this since we have event.dataset)
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Jan 23, 2019
That dashboard was updated too. Here's a summary of what fields changed. Part of elastic#7968 Changed - bytes_in -> source.bytes - bytes_out -> destination.bytes - notes -> error.message - responsetime -> event.duration (unit are now nanoseconds) Added - destination - event.dataset = pgsql - event.end - event.start - network.bytes - network.community_id - network.protocol = pgsql - network.transport = tcp - network.type - source Removed - pgsql.iserror - It was a boolean that reflected the same information as `status` which uses OK or Error. - pgsql.query - It was in fields.yml but not in the code. Unchanged Packetbeat Fields - method - query - status - type = pgsql (we might remove this since we have event.dataset)
andrewkroh
added a commit
that referenced
this issue
Jan 24, 2019
* Update pgSQL protocol to use ECS fields That dashboard was updated too. Here's a summary of what fields changed. Part of #7968 Changed - bytes_in -> source.bytes - bytes_out -> destination.bytes - notes -> error.message - responsetime -> event.duration (unit are now nanoseconds) Added - destination - event.dataset = pgsql - event.end - event.start - network.bytes - network.community_id - network.protocol = pgsql - network.transport = tcp - network.type - source Removed - pgsql.iserror - It was a boolean that reflected the same information as `status` which uses OK or Error. - pgsql.query - It was in fields.yml but not in the code. Unchanged Packetbeat Fields - method - query - status - type = pgsql (we might remove this since we have event.dataset) * add event.end and event.duration * Add PR number to changelog * Remove time_zone from Kibana viz
|
@MikePaquette @webmat I have not added I'm assuming we will want:
For |
|
I haven't had time to look into event categorization much, yet. What's important for GA is to get all the breaking changes squared away. By this I mean the field name changes and type changes. Event categorization can be considered gradual additions, during the 7.x line. Conversely, rushing to get an answer for these fields may be annoying later. Not a huge breaking change if an event used to be The exception may be |
|
|
Yeah the consistency is specifically why I say we should wait after 7.0 FF, when we have the time to have a look around, consider all of our existing modules / sources, as well as others we expect to support shortly. Adding those after 7.0 is perfectly fine. Changing the value after the fact (if we get it wrong in a rush) is a breaking change (although a small one). |
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Jan 24, 2019
- Add aliases - Clean up config files - Remove unused fields from fields.common.yml - Remove time_zone from dashboards - Update navigation links on dashboards to include all dashboards - Add DNS / TLS to overview dashboard to highlight the capabilities - Update fields used in the documentation - Move RPC fields to NFS from Mongo (they were in the wrong package) Part of elastic#7968
andrewkroh
added a commit
that referenced
this issue
Jan 24, 2019
- Add aliases - Clean up config files - Remove unused fields from fields.common.yml - Remove time_zone from dashboards - Update navigation links on dashboards to include all dashboards - Add DNS / TLS to overview dashboard to highlight the capabilities - Update fields used in the documentation - Move RPC fields to NFS from Mongo (they were in the wrong package) - Add scale to responsetime - Consolidate changelog entries to point to issue Part of #7968
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Jan 28, 2019
Part of elastic#7968 Adds event.kind = event and event.category = network_traffic to all Packetbeat events. Packetbeat flow events will additional have event.action = network_flow (same as Filebeat netflow). This also does some cleanup of redundant and unused code that resulted from the ECS migration.
|
I opened #10357 to add:
We can add |
|
👍 |
andrewkroh
added a commit
that referenced
this issue
Jan 28, 2019
* Add event.kind and event.category Part of #7968 Adds event.kind = event and event.category = network_traffic to all Packetbeat events. Packetbeat flow events will additional have event.action = network_flow (same as Filebeat netflow). This also does some cleanup of redundant and unused code that resulted from the ECS migration. * Set method for http
DStape
pushed a commit
to DStape/beats
that referenced
this issue
Aug 20, 2019
* Update ECS fields Updating schema to commit 349406f59e5c7c80a20c9f213370d2601b73f040. Some fields were removed so I added placeholder fields with TODO statements. Those fields can be removed after modules using the fields are updated accordingly. * Convert Packetbeat Flows to ECS The makes changes to the event format generated by Packetbeat's flow feature. Field Changes - type -> event.type - transport -> network.transport - flow_id -> flow.id - final -> flow.final - vlan -> flow.vlan - start_time -> event.start - last_time -> event.end - source.stats.net_bytes_total -> source.bytes - source.stats.net_packets_total -> source.packets - dest.stats.net_bytes_total -> destination.bytes - dest.stats.net_packets_total -> destination.packets Added - network.bytes - network.packets - event.duration Frames with multiple levels of encapsulation like 802.1q with "Q-in-Q" will result in certain fields becoming an array with the outer most metadata being listed first (e.g. source.ip, destination.ip, flow.vlan). Any dashboards associated with flows are not updated in this change. Part of elastic#7968.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For the next major release we want to change some of the common field names in Packetbeat to follow the Elastic Common Schema (ECS). This will make it much easier to query data related data from different sources.
We should break this task down into smaller pieces that are easily reviewable. Perhaps something like this.
ip,client_ip, etc.)Protocol Change Pull Requests
The text was updated successfully, but these errors were encountered: