-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Swap source.bytes
and destination.bytes
traffic log mappings
#32927
Conversation
This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`. This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`. Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`. Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions. This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`.
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
Pinging @elastic/obs-docs (Team:Docs) |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please reflect these changes in filebeat/docs/modules/panw.asciidoc. You can do this by running make update
in the filebeat (not x-pack) directory or just by copying these changes over to that file.
Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Going to merge this to get it into the published docs. Let me know if it's critical to backport this to other branches that are no longer in-service. (It will be backported to 8.4 and 7.17.) Thanks! |
) * Swap `source.bytes` and `destination.bytes` traffic log mappings This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`. This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`. Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`. Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions. This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`. * Swap `source.bytes` and `destination.bytes` traffic log mappings Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525 * Run make update Co-authored-by: dedemorton <[email protected]> (cherry picked from commit 0930b9b)
) * Swap `source.bytes` and `destination.bytes` traffic log mappings This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`. This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`. Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`. Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions. This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`. * Swap `source.bytes` and `destination.bytes` traffic log mappings Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525 * Run make update Co-authored-by: dedemorton <[email protected]> (cherry picked from commit 0930b9b)
) (#33059) * Swap `source.bytes` and `destination.bytes` traffic log mappings This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`. This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`. Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`. Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions. This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`. * Swap `source.bytes` and `destination.bytes` traffic log mappings Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525 * Run make update Co-authored-by: dedemorton <[email protected]> (cherry picked from commit 0930b9b) Co-authored-by: Austin Smith <[email protected]>
) (#33060) * Swap `source.bytes` and `destination.bytes` traffic log mappings This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`. This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`. Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`. Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions. This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`. * Swap `source.bytes` and `destination.bytes` traffic log mappings Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525 * Run make update Co-authored-by: dedemorton <[email protected]> (cherry picked from commit 0930b9b) Co-authored-by: Austin Smith <[email protected]>
) * Swap `source.bytes` and `destination.bytes` traffic log mappings This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`. This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`. Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`. Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions. This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`. * Swap `source.bytes` and `destination.bytes` traffic log mappings Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525 * Run make update Co-authored-by: dedemorton <[email protected]>
What does this PR do?
This proposed change will map
Bytes Received
todestination.bytes
andBytes Sent
toclient.bytes
.Why is it important?
This documentation currently mapps
Bytes Received
toserver.bytes
andsource.bytes
as well asBytes Sent
toclient.bytes
anddestination.bytes
.This mapping is incorrect as per the Palot Alto Docs,
bytes_sent
is defined asNumber of bytes in the client-to-server direction of the session.
and matches the ECS definitions forclient.bytes
andsource.bytes
being bytes fromclient/source => server/destination
.Likewise,
bytes_received
is defined asNumber of bytes in the server-to-client direction of the session.
and matches thedestination.bytes
andserver.bytes
definitions in ECS being the bytes sent fromserver/destination => client/source
.Furthermore, the panw filebeat module mapping and integration pipeline both follow the above conventions.
Checklist
- [ ] My code follows the style guidelines of this project- [ ] I have commented my code, particularly in hard-to-understand areas- [ ] I have made corresponding change to the default configuration files- [ ] I have added tests that prove my fix is effective or that my feature worksCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.EDIT: Below is a pull request which contains the fix made within the PANW filebeat module in order to swap these same two values. #18525.