Skip to content

Commit

Permalink
Add os.type field, with list of allowed values (#1111)
Browse files Browse the repository at this point in the history
  • Loading branch information
Mathieu Martin authored Nov 18, 2020
1 parent 4ee5c21 commit fe738ff
Show file tree
Hide file tree
Showing 15 changed files with 475 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ Thanks, you're awesome :-) -->

* Added `event.category` "registry". #1040
* Added `event.category` "session". #1049
* Added `os.type`. #1111

#### Improvements

Expand Down
9 changes: 9 additions & 0 deletions code/go/ecs/os.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 17 additions & 0 deletions docs/field-details.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -3930,6 +3930,23 @@ example: `darwin`

// ===============================================================

| os.type
| Use the `os.type` field to categorize the operating system into one of the broad commercial families.

One of these following values should be used (lowercase): linux, macos, unix, windows.

If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.

type: keyword



example: `macos`

| extended

// ===============================================================

| os.version
| Operating system version as a raw string.

Expand Down
60 changes: 60 additions & 0 deletions experimental/generated/beats/fields.ecs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2181,6 +2181,21 @@
ignore_above: 1024
description: Operating system platform (such centos, ubuntu, windows).
example: darwin
- name: os.type
level: extended
type: keyword
ignore_above: 1024
description: 'Use the `os.type` field to categorize the operating system into
one of the broad commercial families.
One of these following values should be used (lowercase): linux, macos, unix,
windows.
If the OS you''re dealing with is not in the list, the field should not be
populated. Please let us know by opening an issue with ECS, to propose its
addition.'
example: macos
default_field: false
- name: os.version
level: extended
type: keyword
Expand Down Expand Up @@ -2929,6 +2944,21 @@
ignore_above: 1024
description: Operating system platform (such centos, ubuntu, windows).
example: darwin
- name: os.type
level: extended
type: keyword
ignore_above: 1024
description: 'Use the `os.type` field to categorize the operating system into
one of the broad commercial families.
One of these following values should be used (lowercase): linux, macos, unix,
windows.
If the OS you''re dealing with is not in the list, the field should not be
populated. Please let us know by opening an issue with ECS, to propose its
addition.'
example: macos
default_field: false
- name: os.version
level: extended
type: keyword
Expand Down Expand Up @@ -3034,6 +3064,21 @@
ignore_above: 1024
description: Operating system platform (such centos, ubuntu, windows).
example: darwin
- name: type
level: extended
type: keyword
ignore_above: 1024
description: 'Use the `os.type` field to categorize the operating system into
one of the broad commercial families.
One of these following values should be used (lowercase): linux, macos, unix,
windows.
If the OS you''re dealing with is not in the list, the field should not be
populated. Please let us know by opening an issue with ECS, to propose its
addition.'
example: macos
default_field: false
- name: version
level: extended
type: keyword
Expand Down Expand Up @@ -5716,6 +5761,21 @@
ignore_above: 1024
description: Operating system platform (such centos, ubuntu, windows).
example: darwin
- name: os.type
level: extended
type: keyword
ignore_above: 1024
description: 'Use the `os.type` field to categorize the operating system into
one of the broad commercial families.
One of these following values should be used (lowercase): linux, macos, unix,
windows.
If the OS you''re dealing with is not in the list, the field should not be
populated. Please let us know by opening an issue with ECS, to propose its
addition.'
example: macos
default_field: false
- name: os.version
level: extended
type: keyword
Expand Down
3 changes: 3 additions & 0 deletions experimental/generated/csv/fields.csv
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
2.0.0-dev+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
2.0.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
2.0.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
2.0.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
2.0.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
2.0.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
Expand Down Expand Up @@ -342,6 +343,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
2.0.0-dev+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
2.0.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
2.0.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
2.0.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
2.0.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
2.0.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
Expand Down Expand Up @@ -703,6 +705,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
2.0.0-dev+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
2.0.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
2.0.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
2.0.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
2.0.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
2.0.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
Expand Down
57 changes: 57 additions & 0 deletions experimental/generated/ecs/ecs_flat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3423,6 +3423,25 @@ host.os.platform:
original_fieldset: os
short: Operating system platform (such centos, ubuntu, windows).
type: keyword
host.os.type:
dashed_name: host-os-type
description: 'Use the `os.type` field to categorize the operating system into one
of the broad commercial families.
One of these following values should be used (lowercase): linux, macos, unix,
windows.
If the OS you''re dealing with is not in the list, the field should not be populated.
Please let us know by opening an issue with ECS, to propose its addition.'
example: macos
flat_name: host.os.type
ignore_above: 1024
level: extended
name: type
normalize: []
original_fieldset: os
short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
type: keyword
host.os.version:
dashed_name: host-os-version
description: Operating system version as a raw string.
Expand Down Expand Up @@ -4559,6 +4578,25 @@ observer.os.platform:
original_fieldset: os
short: Operating system platform (such centos, ubuntu, windows).
type: keyword
observer.os.type:
dashed_name: observer-os-type
description: 'Use the `os.type` field to categorize the operating system into one
of the broad commercial families.
One of these following values should be used (lowercase): linux, macos, unix,
windows.
If the OS you''re dealing with is not in the list, the field should not be populated.
Please let us know by opening an issue with ECS, to propose its addition.'
example: macos
flat_name: observer.os.type
ignore_above: 1024
level: extended
name: type
normalize: []
original_fieldset: os
short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
type: keyword
observer.os.version:
dashed_name: observer-os-version
description: Operating system version as a raw string.
Expand Down Expand Up @@ -8796,6 +8834,25 @@ user_agent.os.platform:
original_fieldset: os
short: Operating system platform (such centos, ubuntu, windows).
type: keyword
user_agent.os.type:
dashed_name: user-agent-os-type
description: 'Use the `os.type` field to categorize the operating system into one
of the broad commercial families.
One of these following values should be used (lowercase): linux, macos, unix,
windows.
If the OS you''re dealing with is not in the list, the field should not be populated.
Please let us know by opening an issue with ECS, to propose its addition.'
example: macos
flat_name: user_agent.os.type
ignore_above: 1024
level: extended
name: type
normalize: []
original_fieldset: os
short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
type: keyword
user_agent.os.version:
dashed_name: user-agent-os-version
description: Operating system version as a raw string.
Expand Down
79 changes: 79 additions & 0 deletions experimental/generated/ecs/ecs_nested.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4086,6 +4086,26 @@ host:
original_fieldset: os
short: Operating system platform (such centos, ubuntu, windows).
type: keyword
host.os.type:
dashed_name: host-os-type
description: 'Use the `os.type` field to categorize the operating system into
one of the broad commercial families.
One of these following values should be used (lowercase): linux, macos, unix,
windows.
If the OS you''re dealing with is not in the list, the field should not be
populated. Please let us know by opening an issue with ECS, to propose its
addition.'
example: macos
flat_name: host.os.type
ignore_above: 1024
level: extended
name: type
normalize: []
original_fieldset: os
short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
type: keyword
host.os.version:
dashed_name: host-os-version
description: Operating system version as a raw string.
Expand Down Expand Up @@ -5339,6 +5359,26 @@ observer:
original_fieldset: os
short: Operating system platform (such centos, ubuntu, windows).
type: keyword
observer.os.type:
dashed_name: observer-os-type
description: 'Use the `os.type` field to categorize the operating system into
one of the broad commercial families.
One of these following values should be used (lowercase): linux, macos, unix,
windows.
If the OS you''re dealing with is not in the list, the field should not be
populated. Please let us know by opening an issue with ECS, to propose its
addition.'
example: macos
flat_name: observer.os.type
ignore_above: 1024
level: extended
name: type
normalize: []
original_fieldset: os
short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
type: keyword
observer.os.version:
dashed_name: observer-os-version
description: Operating system version as a raw string.
Expand Down Expand Up @@ -5542,6 +5582,25 @@ os:
normalize: []
short: Operating system platform (such centos, ubuntu, windows).
type: keyword
os.type:
dashed_name: os-type
description: 'Use the `os.type` field to categorize the operating system into
one of the broad commercial families.
One of these following values should be used (lowercase): linux, macos, unix,
windows.
If the OS you''re dealing with is not in the list, the field should not be
populated. Please let us know by opening an issue with ECS, to propose its
addition.'
example: macos
flat_name: os.type
ignore_above: 1024
level: extended
name: type
normalize: []
short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
type: keyword
os.version:
dashed_name: os-version
description: Operating system version as a raw string.
Expand Down Expand Up @@ -10110,6 +10169,26 @@ user_agent:
original_fieldset: os
short: Operating system platform (such centos, ubuntu, windows).
type: keyword
user_agent.os.type:
dashed_name: user-agent-os-type
description: 'Use the `os.type` field to categorize the operating system into
one of the broad commercial families.
One of these following values should be used (lowercase): linux, macos, unix,
windows.
If the OS you''re dealing with is not in the list, the field should not be
populated. Please let us know by opening an issue with ECS, to propose its
addition.'
example: macos
flat_name: user_agent.os.type
ignore_above: 1024
level: extended
name: type
normalize: []
original_fieldset: os
short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
type: keyword
user_agent.os.version:
dashed_name: user-agent-os-version
description: Operating system version as a raw string.
Expand Down
12 changes: 12 additions & 0 deletions experimental/generated/elasticsearch/7/template.json
Original file line number Diff line number Diff line change
Expand Up @@ -1134,6 +1134,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
Expand Down Expand Up @@ -1589,6 +1593,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
Expand Down Expand Up @@ -3237,6 +3245,10 @@
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
Expand Down
Loading

0 comments on commit fe738ff

Please sign in to comment.