Skip to content

Commit

Permalink
Additions to event (#439)
Browse files Browse the repository at this point in the history
- Added `event.code` (See elastic/beats#10333)
- Added `event.sequence` (See #129, elastic/beats#10760)
- Added `event.provider` (See #321)
  - Note: Beats modules currently put the Syslog "programname" in `process.name` which is sometimes accurate, sometimes not (e.g. "kernel"). event.provider would be a better field for this.
- Explain event.module and event.dataset without mentioning Beats
  • Loading branch information
Mathieu Martin authored May 1, 2019
1 parent 8a2bd9d commit 580752c
Show file tree
Hide file tree
Showing 12 changed files with 332 additions and 69 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
* Generator for the asciidoc rendering of field definitions. #347
* Generator for the Beats fields.ecs.yml file. #379
* Added field formats to all `.bytes` fields and `event.duration`. #385
* Added `event.code`, `event.sequence` and `event.provider`. #439

### Improvements

Expand Down
31 changes: 27 additions & 4 deletions code/go/ecs/event.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

49 changes: 45 additions & 4 deletions docs/field-details.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -706,6 +706,19 @@ example: `user-management`

// ===============================================================

| event.code
| Identification code for this event, if one exists.

Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.

type: keyword

example: `4648`

| extended

// ===============================================================

| event.created
| event.created contains the date/time when the event was first read by an agent, or by your pipeline.

Expand All @@ -726,11 +739,13 @@ type: date
| event.dataset
| Name of the dataset.

The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name.
If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from.

It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.

type: keyword

example: `stats`
example: `apache.access`

| core

Expand Down Expand Up @@ -798,11 +813,11 @@ example: `state`
| event.module
| Name of the module this data is coming from.

This information is coming from the modules used in Beats or Logstash.
If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.

type: keyword

example: `mysql`
example: `apache`

| core

Expand Down Expand Up @@ -834,6 +849,19 @@ example: `success`

// ===============================================================

| event.provider
| Source of the event.

Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).

type: keyword

example: `kernel`

| extended

// ===============================================================

| event.risk_score
| Risk score or priority of the event (e.g. security solutions). Use your system's original value here.

Expand All @@ -854,6 +882,19 @@ type: float



| extended

// ===============================================================

| event.sequence
| Sequence number of the event.

The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision.

type: long



| extended

// ===============================================================
Expand Down
45 changes: 39 additions & 6 deletions generated/beats/fields.ecs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -583,6 +583,16 @@
multiple actions. Warning: In future versions of ECS, we plan to provide a
list of acceptable values for this field, please use with caution.'
example: user-management
- name: code
level: extended
type: keyword
ignore_above: 1024
description: 'Identification code for this event, if one exists.
Some event sources use event codes to identify messages unambiguously, regardless
of message language or wording adjustments over time. An example of this is
the Windows Event ID.'
example: 4648
- name: created
level: core
type: date
Expand All @@ -604,10 +614,13 @@
ignore_above: 1024
description: 'Name of the dataset.
The concept of a `dataset` (fileset / metricset) is used in Beats as a subset
of modules. It contains the information which is currently stored in metricset.name
and metricset.module or fileset.name.'
example: stats
If an event source publishes more than one type of log or events (e.g. access
log, error log), the dataset is used to specify which one the event comes
from.
It''s recommended but not required to start the dataset name with the module
name, followed by a dot, then the dataset name.'
example: apache.access
- name: duration
level: core
type: long
Expand Down Expand Up @@ -654,8 +667,10 @@
ignore_above: 1024
description: 'Name of the module this data is coming from.
This information is coming from the modules used in Beats or Logstash.'
example: mysql
If your monitoring agent supports the concept of modules or plugins to process
events of a given source (e.g. Apache logs), `event.module` should contain
the name of this module.'
example: apache
- name: original
level: core
type: keyword
Expand All @@ -677,6 +692,17 @@
versions of ECS, we plan to provide a list of acceptable values for this field,
please use with caution.'
example: success
- name: provider
level: extended
type: keyword
ignore_above: 1024
description: 'Source of the event.
Event transports such as Syslog or the Windows Event Log typically mention
the source of an event. It can be the name of the software that generated
the event (e.g. Sysmon, httpd), or of a subsystem of the operating system
(kernel, Microsoft-Windows-Security-Auditing).'
example: kernel
- name: risk_score
level: core
type: float
Expand All @@ -690,6 +716,13 @@
This is mainly useful if you use more than one system that assigns risk scores,
and you want to see a normalized value across all systems.'
- name: sequence
level: extended
type: long
description: 'Sequence number of the event.
The sequence number is a value published by some event sources, to make the
exact ordering of events unambiguous, regarless of the timestamp precision.'
- name: severity
level: core
type: long
Expand Down
7 changes: 5 additions & 2 deletions generated/csv/fields.csv
Original file line number Diff line number Diff line change
Expand Up @@ -71,18 +71,21 @@ error.id,keyword,core,,1.1.0-dev
error.message,text,core,,1.1.0-dev
event.action,keyword,core,user-password-change,1.1.0-dev
event.category,keyword,core,user-management,1.1.0-dev
event.code,keyword,extended,4648,1.1.0-dev
event.created,date,core,,1.1.0-dev
event.dataset,keyword,core,stats,1.1.0-dev
event.dataset,keyword,core,apache.access,1.1.0-dev
event.duration,long,core,,1.1.0-dev
event.end,date,extended,,1.1.0-dev
event.hash,keyword,extended,123456789012345678901234567890ABCD,1.1.0-dev
event.id,keyword,core,8a4f500d,1.1.0-dev
event.kind,keyword,extended,state,1.1.0-dev
event.module,keyword,core,mysql,1.1.0-dev
event.module,keyword,core,apache,1.1.0-dev
event.original,keyword,core,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,1.1.0-dev
event.outcome,keyword,extended,success,1.1.0-dev
event.provider,keyword,extended,kernel,1.1.0-dev
event.risk_score,float,core,,1.1.0-dev
event.risk_score_norm,float,extended,,1.1.0-dev
event.sequence,long,extended,,1.1.0-dev
event.severity,long,core,7,1.1.0-dev
event.start,date,extended,,1.1.0-dev
event.timezone,keyword,extended,,1.1.0-dev
Expand Down
Loading

0 comments on commit 580752c

Please sign in to comment.