Skip to content

Commit

Permalink
Set event.type for Packetbeat flow events (#24564) (#24633)
Browse files Browse the repository at this point in the history
Add `event.type: [connection]` to flow events and include `end` for final flows.

(cherry picked from commit 7f35a78)
  • Loading branch information
andrewkroh authored Mar 18, 2021
1 parent 99d807f commit 657ed08
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -674,6 +674,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d


- Upgrade to ECS 1.8.0. {pull}23783[23783]
- Add `event.type: [connection]` to flow events and include `end` for final flows. {pull}24564[24564]

*Functionbeat*

Expand Down
6 changes: 6 additions & 0 deletions packetbeat/flows/worker.go
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,12 @@ func createEvent(
"category": []string{"network_traffic", "network"},
"action": "network_flow",
}
eventType := []string{"connection"}
if isOver {
eventType = append(eventType, "end")
}
event["type"] = eventType

flow := common.MapStr{
"id": common.NetString(f.id.Serialize()),
"final": isOver,
Expand Down
1 change: 1 addition & 0 deletions packetbeat/tests/system/test_0060_flows.py
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ def test_mysql_flow(self):
'source.bytes': 1480,
'destination.packets': 10,
'destination.bytes': 181133,
'event.type': ['connection', 'end'],
})

start_ts = parse_timestamp(objs[0]['event.start'])
Expand Down

0 comments on commit 657ed08

Please sign in to comment.