Proposal: TLS related fields

README.md

@@ -43,6 +43,7 @@ ECS defines these fields.
  * [Process fields](#process)
  * [Service fields](#service)
  * [Source fields](#source)
+ * [TLS fields](#tls)
  * [URL fields](#url)
  * [User fields](#user)
  * [User agent fields](#user_agent)
@@ -358,6 +359,21 @@ Source fields describe details about the source of the event.
 | <a name="source.subdomain"></a>`source.subdomain`  | Source subdomain.  | keyword  |   |   |
 
 
+## <a name="tls"></a> TLS fields
+
+The tls fields contains the TLS related data about a specific connection.
+
+As an example in the case of Filebeat and the TCP input, the `version` field would be the version of the TLS protocol in use, the `certificates` would be the chain of certificates provided by the client and the `ciphersuite` is the encryption algorithm used for the communication.
+
+
+| Field  | Description  | Type  | Multi Field  | Example  |
+|---|---|---|---|---|
+| <a name="tls.version"></a>`tls.version`  | TLS version  | keyword  |   | `TLSv1.2`  |
+| <a name="tls.certificates"></a>`tls.certificates`  | An array of certificates.  | keyword  |   |   |
+| <a name="tls.servername"></a>`tls.servername`  | Server name requested by the client.  | keyword  |   | `localhost`  |
+| <a name="tls.ciphersuite"></a>`tls.ciphersuite`  | Name of the cipher used for the communication.  | keyword  |   | `ECDHE-ECDSA-AES-128-CBC-SHA`  |
+
+
 ## <a name="url"></a> URL fields
 
 URL fields provide a complete URL, with scheme, host, and path. The URL object can be reused in other prefixes, such as `host.url.*` for example. Keep the structure consistent whenever you use URL fields.

schema.csv

@@ -120,6 +120,10 @@ source.ip,ip,0,
 source.mac,keyword,1,
 source.port,long,1,
 source.subdomain,keyword,1,
+tls.certificates,keyword,0,
+tls.ciphersuite,keyword,0,ECDHE-ECDSA-AES-128-CBC-SHA
+tls.servername,keyword,0,localhost
+tls.version,keyword,0,TLSv1.2
 url.fragment,keyword,0,
 url.host.name,keyword,0,elastic.co
 url.href,text,0,https://elastic.co:443/search?q=elasticsearch#top

schemas/tls.yml

@@ -0,0 +1,36 @@
+---
+- name: tls
+  title: TLS
+  group: 2
+  description: >
+    The tls fields contain the TLS related data about a specific connection.
+
+    As an example in the case of Filebeat and the TCP input, the `version` field would be the
+    version of the TLS protocol in use, the `certificates` would be the chain of certificates
+    provided by the client and the `ciphersuite` is the encryption algorithm used for the
+    communication.
+  fields:
+    - name: version
+      type: keyword
+      description: >
+        TLS version.
+
+      example: TLSv1.2
+    - name: certificates
+      type: keyword
+      description: >
+        An array of certificates.
+      ignore_above: -1
+      doc_values: false
+    - name: servername
+      type: keyword
+      description: >
+        Server name requested by the client.
+
+      example: localhost
+    - name: ciphersuite
+      type: keyword
+      description: >
+        Name of the cipher used for the communication.
+
+      example: ECDHE-ECDSA-AES-128-CBC-SHA

template.json

@@ -621,6 +621,26 @@
           "ignore_above": 1024,
           "type": "keyword"
         },
+        "tls": {
+          "properties": {
+            "certificates": {
+              "doc_values": false,
+              "type": "keyword"
+            },
+            "ciphersuite": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "servername": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
         "url": {
           "properties": {
             "fragment": {