Proposal: Introduce connection prefix, move source / destination #51
Commits on Jul 17, 2018
-
Proposal: Introduce connection prefix, move source / destination
There have been recently several discussions around source, destination and connection recently, especially in elastic#9. The conclusion from my side is that source and destination normally belongs to a connection and we actually miss a connection prefix. Also some information from network like `forward_ip` more belong to a connection then network. An additional change I made to source and destination is that they both contain now a host prefix. All the fields in source and destination also exist in `host`. The host prefix can be reused here too. This makes ECS very predictable that every time `host.*` shows up it will contain the same fields. Also source and destination could contain additional data like the location, see elastic#50 for more details. The connection fields now look as following: | Field | Description | Type | |---|---|---|---|---| | <a name="connection.destination.host.ip"></a>`connection.destination.host.ip` | IP address of the destination.<br/>Can be one or multiple IPv4 or IPv6 addresses. | ip | | <a name="connection.destination.host.name"></a>`connection.destination.host.name` | Hostname of the destination. | keyword | | <a name="connection.destination.host.port"></a>`connection.destination.host.port` | Port of the destination. | long | | <a name="connection.destination.host.mac"></a>`connection.destination.host.mac` | MAC address of the destination. | keyword | | <a name="connection.destination.host.domain"></a>`connection.destination.host.domain` | Destination domain. | keyword | | <a name="connection.destination.host.subdomain"></a>`connection.destination.host.subdomain` | Destination subdomain. | keyword | | <a name="connection.source.host.ip"></a>`connection.source.host.ip` | IP address of the source.<br/>Can be one or multiple IPv4 or IPv6 addresses. | ip | | <a name="connection.source.host.name"></a>`connection.source.host.name` | Hostname of the source. | keyword | | <a name="connection.source.host.port"></a>`connection.source.host.port` | Port of the source. | long | | <a name="connection.source.host.mac"></a>`connection.source.host.mac` | MAC address of the source. | keyword | | <a name="connection.source.host.domain"></a>`connection.source.host.domain` | Source domain. | keyword | | <a name="connection.source.host.subdomain"></a>`connection.source.host.subdomain` | Source subdomain. | keyword | | <a name="connection.direction"></a>`connection.direction` | Direction of the network traffic.<br/>Recommended values are:<br/> * inbound<br/> * outbound<br/> * unknown | keyword | | <a name="connection.forwarded_ip"></a>`connection.forwarded_ip` | Host IP address when the source IP address is the proxy. | ip | I opened a PR to discuss this instead of an issue as it will allow us to discuss the high level parts as comment but also details directly in the code.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.