Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to ECS v1.1.0 #13320

Closed
6 tasks done
andrewkroh opened this issue Aug 22, 2019 · 0 comments
Closed
6 tasks done

Update to ECS v1.1.0 #13320

andrewkroh opened this issue Aug 22, 2019 · 0 comments
Labels
ecs

Comments

@andrewkroh
Copy link
Member

andrewkroh commented Aug 22, 2019
edited
Loading

Update Beats to ECS v1.1.0. https://github.com/elastic/ecs/releases/tag/v1.1.0

Changes for ECS DNS

Changes for ECS NAT
@andrewkroh andrewkroh added the ecs label Aug 22, 2019
@andrewkroh andrewkroh mentioned this issue Aug 22, 2019
Merged
@andrewkroh andrewkroh mentioned this issue Aug 22, 2019
Merged
2 tasks
@andrewkroh andrewkroh mentioned this issue Aug 23, 2019
Merged
1 task
@andrewkroh andrewkroh mentioned this issue Aug 23, 2019
Merged
andrewkroh added a commit to andrewkroh/beats that referenced this issue Aug 23, 2019
@andrewkroh
Update fields.yml for ECS v1.1.0
f578a59 
This updates the fields.ecs.yml file and the vendored Go code to be based on ECS v1.1.0.

Relates elastic#13320
andrewkroh added a commit that referenced this issue Aug 24, 2019
@andrewkroh
Update fields.yml for ECS v1.1.0 (#13321)
b5d967f 
This updates the fields.ecs.yml file and the vendored Go code to be based on ECS v1.1.0.

Relates #13320
andrewkroh added a commit to andrewkroh/beats that referenced this issue Aug 26, 2019
@andrewkroh
Update Suricata for ECS DNS
f8ba4d3 
This updates the Suricata module to populate the ECS DNS fields. It does not remove existing `suricata.eve.dns.*` fields to preserve backward compatibility.

This also enhances the pipeline to handle the Suricata detailed DNS format (aka version 2). It requires that when using EVE DNS `version: 2` that `formats: [detailed]` is used (`grouped` can be enabled too but it is ignored).

`log.original` is now populated with the original JSON log data.

`source.address` and `destination.address` are now populated.

`event.end` is populated with the `flow.end` value now and hence some events that did not contain `flow.end` no longer have an `event.end`.

Relates elastic#13320
andrewkroh added a commit to andrewkroh/beats that referenced this issue Aug 26, 2019
@andrewkroh
Set ECS NAT fields in PAN-OS fileset
2f3a24d 
This updates the panw.panos fileset to populate the ECS NAT fields. The original non-ECS fields are still being populated to not break backwards compatibility.

Relates elastic#13320
andrewkroh added a commit that referenced this issue Aug 26, 2019
@andrewkroh
Set ECS NAT fields in PAN-OS fileset (#13330)
3e34fb6 
This updates the panw.panos fileset to populate the ECS NAT fields. The original non-ECS fields are still being populated to not break backwards compatibility.

Relates #13320
andrewkroh added a commit to andrewkroh/beats that referenced this issue Aug 27, 2019
@andrewkroh
Add DNS header_flags, registered_domain, resolved_ip
5371ba4 
 Add DNS fields for ECS. This adds three fields:

- dns.question.registered_domain
- dns.header_flags
- dns.resolved_ip

Relates elastic#13320
@andrewkroh andrewkroh mentioned this issue Aug 27, 2019
Merged
andrewkroh added a commit to andrewkroh/beats that referenced this issue Aug 27, 2019
@andrewkroh
Update zeek dns pipeline with ECS DNS fields
5b6ea8f 
This adds ECS DNS fields to the Zeek DNS fileset (but does not change or remove any existing ones).

Relates elastic#13320
andrewkroh added a commit that referenced this issue Aug 27, 2019
@andrewkroh
Update Suricata for ECS DNS (#13329)
835e063 
This updates the Suricata module to populate the ECS DNS fields. It does not remove existing `suricata.eve.dns.*` fields to preserve backward compatibility.

This also enhances the pipeline to handle the Suricata detailed DNS format (aka version 2). It requires that when using EVE DNS `version: 2` that `formats: [detailed]` is used (`grouped` can be enabled too but it is ignored).

`event.original` is now populated with the original JSON log data.

`source.address` and `destination.address` are now populated.

`event.end` is populated with the `flow.end` value now and hence some events that did not contain `flow.end` no longer have an `event.end`.

Relates #13320
andrewkroh added a commit that referenced this issue Aug 27, 2019
@andrewkroh
Add DNS header_flags, registered_domain, resolved_ip (#13354)
24796c6 
Add DNS fields for ECS. This adds three fields:

- dns.question.registered_domain
- dns.header_flags
- dns.resolved_ip

Relates #13320
andrewkroh added a commit that referenced this issue Aug 27, 2019
@andrewkroh
Update Zeek DNS pipeline with ECS DNS fields (#13324)
3a69204 
This adds ECS DNS fields to the Zeek DNS fileset (but does not change or remove any existing ones).

Use event.original
Add registered_domain
Add dns.resolved_ip

Relates #13320
@andrewkroh andrewkroh mentioned this issue Aug 28, 2019
Merged
andrewkroh added a commit to andrewkroh/beats that referenced this issue Aug 29, 2019
@andrewkroh
Add dns.type to Packetbeat
f492a23 
Set `dns.type` to `answer` when a response packet is present and to `query` when there's only a request packet.

Relates elastic#13320
@andrewkroh andrewkroh mentioned this issue Aug 29, 2019
Merged
andrewkroh added a commit that referenced this issue Aug 30, 2019
@andrewkroh
Add dns.type to Packetbeat (#13427)
f2c6556 
Set `dns.type` to `answer` when a response packet is present and to `query` when there's only a request packet.

Relates #13320
andrewkroh added a commit to andrewkroh/beats that referenced this issue Aug 30, 2019
@andrewkroh
Add dns.type to Packetbeat (elastic#13427)
e51e27e 
Set `dns.type` to `answer` when a response packet is present and to `query` when there's only a request packet.

Relates elastic#13320

(cherry picked from commit f2c6556)
@andrewkroh andrewkroh mentioned this issue Aug 30, 2019
Merged
andrewkroh added a commit that referenced this issue Aug 30, 2019
@andrewkroh
Add dns.type to Packetbeat (#13427) (#13453)
9a5a938 
Set `dns.type` to `answer` when a response packet is present and to `query` when there's only a request packet.

Relates #13320

(cherry picked from commit f2c6556)
@andrewkroh andrewkroh mentioned this issue Sep 5, 2019
Merged
andrewkroh added a commit to andrewkroh/beats that referenced this issue Sep 5, 2019
@andrewkroh
Update pipelines for ECS DNS
23e65a1 
This sets the ECS DNS fields. It does not remove the coredns.* fields to avoid introducing
a breaking change.

Relates elastic#13320
andrewkroh added a commit that referenced this issue Sep 11, 2019
@andrewkroh
[Filebeat] Update CoreDNS pipelines for ECS DNS (#13505)
8f2216e 
This sets the ECS DNS fields. It does not remove the coredns.* fields to avoid introducing
a breaking change.

* Convert coredns ingest pipeline to YAML
* Update pipelines for ECS DNS
* Right trim trailing dots in dns.question.name

Relates #13320
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@andrewkroh
Add dns.type to Packetbeat (elastic#13427) (elastic#13453)
e0246d0 
Set `dns.type` to `answer` when a response packet is present and to `query` when there's only a request packet.

Relates elastic#13320

(cherry picked from commit ba71859)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ecs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andrewkroh