New use case: Firewall #125
Comments
Yes, this is precisely how
Can you give examples of what would go in there? Is it a rule ID or a textual representation of the rule?
We're in the process of documenting how to go about using fields that aren't defined in ECS in your event stream. I don't see a problem with you using these fields in your stream and it being ECS compliant. Of course we may eventually decide to add them to ECS if it's a common enough use case. But you shouldn't feel blocked from using these fields in your stream. |
The "rule" will be the firewall rule name that is hit and that generates this log/event and denies or permits the traffic.
Of course I can add those fields but these fields are used quite commonly in the big firewall vendors (Juniper, PaloAlto, Cisco etc.). That's why I would say they earn a well documented spot with the correct naming here. |
|
Yes, agreed. The context of my comment is that are working on making ECS GA soon (a minimum viable version of it). This means we must focus on firming up the fundamentals and keep the work on some of the use cases for later. |
|
@Woudan Because you could open a PR against use-cases for this: https://github.com/elastic/ecs/tree/master/use-cases There we have other fields which are not in ECS yet but should be taken into consideration. |
|
Came here looking for this as I was looking at how to work with my firewall logs. Searching around led me to packetbeat and here: https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-flows_event.html |
|
Just wanted to add that I'm also missing the following 'firewall' related fields:
Some example globalprotect palo alto logs: Or is there already any existing field I should put the reason of the event? About source and destination region, these can be populated with an ip range (internal regions) or land codes. SO I probably should create a conditional and set geo.country_iso_code if it's a country code... But can I set auth_type seems more like a custom Palo Alto field, not sure yet where I should put that. Also I can find a field |
|
Some other fields that I came across in firewall logging are:
|
|
I also need to retain zone info for source|destination, as well as a rule(/+policy) field. Rules should be keyword, as though it's often numeric, it's not always, depending on vendor. Examples: Checkpoint syslog: |
We currently have the RULE category being added in 1.4 which addresses point #3.
IPv6:
Then we get into more granular protocol level details... This can be found under https://docs.netgate.com/pfsense/en/latest/monitoring/filter-log-format-for-pfsense-2-2.html after the IPV4 & IPV6 section. |
|
I just came across this issue while looking for icmp(v6) type and code fields. Please add those to a future ECS version please. |
|
Hi @abraxxa - a stage 0 RFC proposal was recently merged as a first step towards introducing ICMP/ICMPv6 fields in addition to network headers. We expect to continue moving the proposal forward soon. |
|
As summarized here, many of the original discussion points have been introduced into ECS since this discussion started. Let's close this discussion in favor of network headers RFC. |
A lot fields are already present but a few are missing for basic traffic logging of a zone based firewall.
I don't thinks it's necessary to add specific firewall fields but i'm not sure. I've got the following proposition:
The text was updated successfully, but these errors were encountered: