From 79b7a92a77351712652288159387d6273ce39255 Mon Sep 17 00:00:00 2001 From: ruflin Date: Mon, 28 May 2018 15:11:43 +0200 Subject: [PATCH] Add http.response.* fields HTTP response status code and body show up in different Beats as packetbeat, heartbeat, filebeat, apm-server and also in web server logs. They are so common that it makes sense to standardise on the naming which is not the case yet. I initially thought of creating `response` object outside as it also exists for other protocols but came to the conclusion that it's not really useful to correlate for example response codes across different protocols. --- README.md | 12 ++++++++++++ schema.csv | 2 ++ schemas/http.yml | 17 +++++++++++++++++ template.json | 15 +++++++++++++++ 4 files changed, 46 insertions(+) create mode 100644 schemas/http.yml diff --git a/README.md b/README.md index 54f7c87d9d..7e03c515e5 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,7 @@ List of available ECS fields. * [File fields](#file) * [Geoip fields](#geoip) * [Host fields](#host) + * [HTTP fields](#http) * [Kubernetes fields](#kubernetes) * [Log fields](#log) * [Network fields](#network) @@ -237,6 +238,17 @@ Normally the host information is related to the machine on which the event was g | `host.architecture` | Operating system architecture. | keyword | | `x86_64` | +## HTTP fields + +Fields related to HTTP requests and responses. + + +| Field | Description | Type | Multi Field | Example | +|---|---|---|---|---| +| `http.response.status_code` | Http response status code. | long | | `404` | +| `http.response.body` | The full http response body. | text | | `Hello world` | + + ## Kubernetes fields Kubernetes fields are used for meta information about k8s. This should help to correlate data coming out of k8s setups. diff --git a/schema.csv b/schema.csv index 4e74119163..d7f7a692a0 100644 --- a/schema.csv +++ b/schema.csv @@ -78,6 +78,8 @@ host.os.platform,keyword,0,darwin host.os.version,keyword,0,10.12.6 host.timezone.offset.sec,long,1,-5400 host.type,keyword,1, +http.response.body,text,0,Hello world +http.response.status_code,long,0,404 kubernetes.annotations,object,0, kubernetes.container.name,keyword,0, kubernetes.labels,object,0, diff --git a/schemas/http.yml b/schemas/http.yml new file mode 100644 index 0000000000..4718d9a482 --- /dev/null +++ b/schemas/http.yml @@ -0,0 +1,17 @@ +--- +- name: http + title: HTTP + group: 2 + description: > + Fields related to HTTP requests and responses. + fields: + - name: response.status_code + type: long + description: > + Http response status code. + example: 404 + - name: response.body + type: text + description: > + The full http response body. + example: Hello world diff --git a/template.json b/template.json index 2934113513..84d3ccf3a8 100644 --- a/template.json +++ b/template.json @@ -392,6 +392,21 @@ } } }, + "http": { + "properties": { + "response": { + "properties": { + "body": { + "norms": false, + "type": "text" + }, + "status_code": { + "type": "long" + } + } + } + } + }, "kubernetes": { "properties": { "annotations": {