-
Notifications
You must be signed in to change notification settings - Fork 419
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Finding a better name for url.hostname
, source.hostname
and destination.hostname
#166
Comments
url.hostname
?url.hostname
, source.hostname
and destination.hostname
@MikePaquette @ruflin @robgil @andrewkroh Ok, this proposal is now better fleshed out and ready to be discussed :-) |
We are currently using this in logstash: (?:%{IP:[server][host][ip]}|%{NOTSPACE:[server][host][name]}) which seems to make very clear to what is what. |
@webmat Thanks for the detailed research on this issue. +1 on not renaming it to For the alternative names:
@vbohata Your Two alternatives:
Even though |
No, server.host.ip will contain IP if matches LS pattern. Otherwise server.host.name will contain host name. I do not want to mix these values as I use them later... for example for related field I am using. |
@vbohata Yes, your approach actually does away with the ambiguity totally. What this field is here is a place to store the value in the ambiguous state. At the time where it's still unknown if it's an IP or a registered name. It also makes me realize that under source and destination, we could actually get away with only IP and the domain fields, and leave hostname (or any other name for this field) out of ECS. Typically people will want to figure out with certainty whether this value is an IP or a name. So they should have some processing to determine that, as demonstrated above by @vbohata. If they want to keep the ambiguous value as well in their stream after the extraction is done, it's totally up to them, and perhaps this ambiguous field doesn't even belong into ECS. I'll add that above as one of the options. @ruflin I have perhaps not said the following explicitly enough in the body of the issue. But the reason I really want to address this is to avoid the perpetual questions asking "what's the difference between hostname and the domain fields?". The fact that the initial question (#84) came from a person very familiar with the space is a very good indicator to me that this is too ambiguous. When this gets out more broadly, I'm afraid that this will result in essentially the same question being asked over and over (not everyone pores over the GH issues before asking their own question). |
@ruflin To answer your question about But you're very right that in the other two locations we're discussing, source and destination, perhaps the name "url_host" is incorrect. Because it may indeed not come from an actual URL. Could be from an email address or other bit of information that has a host. |
@webmat I like your suggestion in #166 (comment) best -
I am +1 to remove Then we'd have these anticipated common mappings:
Also, I'm still not sure why we need the additional field for URL. Is there a good example where the URL host field could not /would not map to ecs |
@MikePaquette Technically, the URL's host can be an IP or a name. So that's also a place where the ambiguous concept of "host" is useful. This makes me realize that in the current state, So in total the overall proposal here is:
Note: source and destination already have a |
@ruflin Would you be good for this version of the proposal for Beta1? #166 (comment) |
As most of you have realized, using the word "hostname" for two different purposes in ECS is bugging me. I'm very happy of the resistance I've faced when bringing this up so far, because it has forced me to dig deeper and figure this out more precisely. Hopefully this helps me make a better case for why in one of these two cases, "hostname" is incorrect.
Two usages of hostname in ECS
Let's review the two different uses of "hostname" currently in ECS:
hostname
on a host/device.device.hostname
andhost.hostname
.source.hostname
,destination.hostname
andurl.hostname
host
fields in there instead anyway (e.g.host.id
,host.hostname
).What's wrong with
hostname
?In the RFCs I'm aware of, when mentioning "a network address, which may be an IP or a domain name", they all refer to that as a "host", not a "hostname". They sometimes use the word "hostname" (but not always) to refer to an address that's a registered name (such as a domain name or a local DNS entry).
This is not a recent change either, the oldest RFC I'm linking to below is from 1994, and is using "host" to mean the "ip or name" concept. Here's a few excerpts:
The fact that they are sometimes mentioned in the same places or even in some cases used interchangeably in tool documentation (we're not the only ones facing this mixup) helps explain why the two are often mixed up. I haven't looked farther back in the RFCs, so that mixup may indeed come from there.
However as @MikePaquette pointed out, using the name "host" in these places would conflict with our top level field set "host". Even if "host" is not currently a reuseable object, I do think it could become one, and the most obvious places I would expect to nest it is at
source.host
anddestination.host
.So I agree we should not rename these 3 fields to
*.host
.Here are some suggestions for new field names, based on what I've seen in the various server documentation tools and the RFCs. Remember that these proposed renames apply only to
source
,destination
andurl
, not tohost
anddevice
:host_address
uri_host
orurl_host
hostname
from source, destination and url.I'm open to other suggestions, of course.
The text was updated successfully, but these errors were encountered: