Skip to content

Commit

Permalink
make update
Browse files Browse the repository at this point in the history
  • Loading branch information
Mathieu Martin committed Dec 21, 2018
1 parent 1356f03 commit 34c31dd
Show file tree
Hide file tree
Showing 16 changed files with 392 additions and 96 deletions.
59 changes: 48 additions & 11 deletions auditbeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -2844,10 +2844,22 @@ This id normally changes across restarts, but `agent.id` does not.
[float]
== client fields
A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjuction with server fields. Client fields are generally not populated for packet-level events.
A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events.
Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
*`client.address`*::
+
--
type: keyword
Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
--
*`client.ip`*::
+
--
Expand Down Expand Up @@ -3184,6 +3196,17 @@ Destination fields describe details about the destination of a packet/event. Des
*`destination.address`*::
+
--
type: keyword
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
--
*`destination.ip`*::
+
--
Expand Down Expand Up @@ -3366,13 +3389,13 @@ Meta-information specific to ECS.
--
type: keyword
example: 1.0.0-beta1
example: 1.0.0-beta2
required: True
ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
The current version is 1.0.0-beta1 .
The current version is 1.0.0-beta2 .
--
Expand Down Expand Up @@ -4248,9 +4271,10 @@ Name given by operators to sections of their network.
--
type: keyword
example: IPv4
example: ipv4
In the OSI Model this would be the Network Layer. IPv4, IPv6, IPSec, PIM, etc
In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.
--
Expand All @@ -4272,9 +4296,10 @@ IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol
--
type: keyword
example: TCP
example: tcp
Same as network.iana_number, but instead using the Keyword name of the transport layer (UDP, TCP, IPv6-ICMP, etc.)
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.
--
Expand All @@ -4284,9 +4309,10 @@ Same as network.iana_number, but instead using the Keyword name of the transport
--
type: keyword
example: AIM
example: aim
A name given to an application. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format.
The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.
--
Expand All @@ -4298,7 +4324,8 @@ type: keyword
example: http
L7 Network protocol name. ex. http, lumberjack, transport protocol
L7 Network protocol name. ex. http, lumberjack, transport protocol.
The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.
--
Expand Down Expand Up @@ -4854,9 +4881,21 @@ All of the IPs seen on your event.
== server fields
A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events.
Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
*`server.address`*::
+
--
type: keyword
Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
--
*`server.ip`*::
+
--
Expand Down Expand Up @@ -5514,8 +5553,6 @@ example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.
Unparsed version of the user_agent.
Field is not indexed.
--
*`user_agent.name`*::
Expand Down
2 changes: 1 addition & 1 deletion auditbeat/include/fields.go

Large diffs are not rendered by default.

59 changes: 48 additions & 11 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -870,10 +870,22 @@ This id normally changes across restarts, but `agent.id` does not.
[float]
== client fields
A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjuction with server fields. Client fields are generally not populated for packet-level events.
A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events.
Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
*`client.address`*::
+
--
type: keyword
Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
--
*`client.ip`*::
+
--
Expand Down Expand Up @@ -1210,6 +1222,17 @@ Destination fields describe details about the destination of a packet/event. Des
*`destination.address`*::
+
--
type: keyword
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
--
*`destination.ip`*::
+
--
Expand Down Expand Up @@ -1392,13 +1415,13 @@ Meta-information specific to ECS.
--
type: keyword
example: 1.0.0-beta1
example: 1.0.0-beta2
required: True
ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
The current version is 1.0.0-beta1 .
The current version is 1.0.0-beta2 .
--
Expand Down Expand Up @@ -2274,9 +2297,10 @@ Name given by operators to sections of their network.
--
type: keyword
example: IPv4
example: ipv4
In the OSI Model this would be the Network Layer. IPv4, IPv6, IPSec, PIM, etc
In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.
--
Expand All @@ -2298,9 +2322,10 @@ IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol
--
type: keyword
example: TCP
example: tcp
Same as network.iana_number, but instead using the Keyword name of the transport layer (UDP, TCP, IPv6-ICMP, etc.)
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.
--
Expand All @@ -2310,9 +2335,10 @@ Same as network.iana_number, but instead using the Keyword name of the transport
--
type: keyword
example: AIM
example: aim
A name given to an application. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format.
The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.
--
Expand All @@ -2324,7 +2350,8 @@ type: keyword
example: http
L7 Network protocol name. ex. http, lumberjack, transport protocol
L7 Network protocol name. ex. http, lumberjack, transport protocol.
The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.
--
Expand Down Expand Up @@ -2880,9 +2907,21 @@ All of the IPs seen on your event.
== server fields
A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events.
Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
*`server.address`*::
+
--
type: keyword
Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
--
*`server.ip`*::
+
--
Expand Down Expand Up @@ -3540,8 +3579,6 @@ example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.
Unparsed version of the user_agent.
Field is not indexed.
--
*`user_agent.name`*::
Expand Down
2 changes: 1 addition & 1 deletion filebeat/include/fields.go

Large diffs are not rendered by default.

Loading

0 comments on commit 34c31dd

Please sign in to comment.