Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate Winlogbeat to ECS #10169

Closed
wants to merge 1 commit into from
Closed

Migrate Winlogbeat to ECS #10169

wants to merge 1 commit into from

Conversation

ruflin
Copy link
Contributor

@ruflin ruflin commented Jan 18, 2019

This PR is to kick of a discussion around Winlogbeat and ECS migration.

@ruflin
Migrate Winlogbeat to ECS
aba4b89 
This PR is to kick of a discussion around Winlogbeat and ECS migration.
@ruflin ruflin added in progress Pull request is currently in progress. review Winlogbeat ecs labels Jan 18, 2019
@ruflin ruflin requested review from webmat and andrewkroh January 18, 2019 14:27
@ruflin ruflin requested a review from a team as a code owner January 18, 2019 14:27
@ruflin
Copy link
Contributor Author

ruflin commented Jan 18, 2019

@webmat @andrewkroh I kicked this off for the changes in ECS. The part I'm not very clear here is which fields are very event log specific and which ones actually should we map to ECS. Could you have a look and leave your comments?

This is not complete yet but should have questions for all the relevant fields.

@ruflin ruflin self-assigned this Jan 18, 2019
@ruflin ruflin mentioned this pull request Jan 18, 2019
Closed
webmat
webmat reviewed Jan 18, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm proposing two adjustments to @ruflin's proposed field renames.

Here are some more ideas of field transitions that may make sense:

  • keywords => does this map to tags?
  • source_name => process.name

winlogbeat/_meta/fields.common.yml
@@ -31,7 +32,8 @@
activity.

- name: computer_name
type: keyword
type: alias
path: host.name
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather host.hostname. host.name is meant to be overridable.

winlogbeat/_meta/fields.common.yml
@@ -116,7 +123,8 @@
the event.

- name: process_id
type: long
type: alias
path: process.id
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

process.pid

andrewkroh
andrewkroh reviewed Jan 24, 2019
View reviewed changes
winlogbeat/_meta/fields.common.yml
@@ -49,7 +51,8 @@
earlier versions of Windows.

- name: event_id
type: long
type: alias
path: event.id
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not the same as ECS event.id (at least in my understanding). This more like an identifier for the log message in the application. For example 1102 is "The audit log was cleared".

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

record_number is closer to event.id but it's only unique given some additional constraints. If we wanted to populate event.id I'd do a fast hash of @timestamp + computer_name + log_name + record_number.

winlogbeat/_meta/fields.common.yml Show resolved Hide resolved
winlogbeat/_meta/fields.common.yml Show resolved Hide resolved
winlogbeat/eventlog/eventlog.go
@@ -139,7 +139,7 @@ func (e Record) ToEvent() beat.Event {
// MapStr.
func addOptional(m common.MapStr, key string, v interface{}) {
if m != nil && !isZero(v) {
m[key] = v
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few lines up...

e.TimeCreated.SystemTime is used to populate @timestamp. That's the time the event was originally logged. So it would be nice to populate event.created with the current time.

webmat
webmat reviewed Jan 24, 2019
View reviewed changes
winlogbeat/_meta/fields.common.yml
type: keyword
# This does not exist yet
path: log.name
type: alias
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to understand better the relation between log_name and source_name. Is there a place where we can see sample data? I haven't found anything obvious.

@webmat webmat mentioned this pull request Jan 24, 2019
Merged
9 tasks
@webmat
Copy link
Contributor

webmat commented Jan 25, 2019

I'm taking over the work here, and I opened #10333 to continue the work. I'll take all comments here into account, but please move further discussion over to #10333 :-)

@webmat webmat closed this Jan 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh left review comments

@webmat webmat webmat left review comments

Assignees

@ruflin ruflin

Labels
ecs in progress Pull request is currently in progress. review Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ruflin @webmat @andrewkroh