From 87edcad11255737a023cb62414e775401ab7b3af Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Fri, 22 Nov 2019 15:06:48 -0500 Subject: [PATCH 1/2] Remove the Go library and the code generating it --- Makefile | 16 +- code/README.md | 6 - code/go/ecs/README.md | 8 - code/go/ecs/agent.go | 53 ----- code/go/ecs/as.go | 33 --- code/go/ecs/base.go | 52 ----- code/go/ecs/client.go | 88 -------- code/go/ecs/cloud.go | 48 ----- code/go/ecs/container.go | 43 ---- code/go/ecs/destination.go | 76 ------- code/go/ecs/dns.go | 129 ------------ code/go/ecs/doc.go | 22 -- code/go/ecs/ecs.go | 30 --- code/go/ecs/error.go | 40 ---- code/go/ecs/event.go | 176 ---------------- code/go/ecs/file.go | 92 --------- code/go/ecs/geo.go | 53 ----- code/go/ecs/group.go | 34 ---- code/go/ecs/hash.go | 38 ---- code/go/ecs/host.go | 67 ------ code/go/ecs/http.go | 56 ----- code/go/ecs/log.go | 94 --------- code/go/ecs/network.go | 95 --------- code/go/ecs/observer.go | 68 ------- code/go/ecs/organization.go | 32 --- code/go/ecs/os.go | 41 ---- code/go/ecs/package.go | 74 ------- code/go/ecs/process.go | 145 ------------- code/go/ecs/related.go | 33 --- code/go/ecs/server.go | 88 -------- code/go/ecs/service.go | 76 ------- code/go/ecs/source.go | 77 ------- code/go/ecs/threat.go | 66 ------ code/go/ecs/tls.go | 154 -------------- code/go/ecs/tracing.go | 37 ---- code/go/ecs/url.go | 94 --------- code/go/ecs/user.go | 47 ----- code/go/ecs/user_agent.go | 37 ---- code/go/ecs/version.go | 23 --- code/go/ecs/vulnerability.go | 93 --------- scripts/cmd/gocodegen/gocodegen.go | 315 ----------------------------- 41 files changed, 1 insertion(+), 2848 deletions(-) delete mode 100644 code/README.md delete mode 100644 code/go/ecs/README.md delete mode 100644 code/go/ecs/agent.go delete mode 100644 code/go/ecs/as.go delete mode 100644 code/go/ecs/base.go delete mode 100644 code/go/ecs/client.go delete mode 100644 code/go/ecs/cloud.go delete mode 100644 code/go/ecs/container.go delete mode 100644 code/go/ecs/destination.go delete mode 100644 code/go/ecs/dns.go delete mode 100644 code/go/ecs/doc.go delete mode 100644 code/go/ecs/ecs.go delete mode 100644 code/go/ecs/error.go delete mode 100644 code/go/ecs/event.go delete mode 100644 code/go/ecs/file.go delete mode 100644 code/go/ecs/geo.go delete mode 100644 code/go/ecs/group.go delete mode 100644 code/go/ecs/hash.go delete mode 100644 code/go/ecs/host.go delete mode 100644 code/go/ecs/http.go delete mode 100644 code/go/ecs/log.go delete mode 100644 code/go/ecs/network.go delete mode 100644 code/go/ecs/observer.go delete mode 100644 code/go/ecs/organization.go delete mode 100644 code/go/ecs/os.go delete mode 100644 code/go/ecs/package.go delete mode 100644 code/go/ecs/process.go delete mode 100644 code/go/ecs/related.go delete mode 100644 code/go/ecs/server.go delete mode 100644 code/go/ecs/service.go delete mode 100644 code/go/ecs/source.go delete mode 100644 code/go/ecs/threat.go delete mode 100644 code/go/ecs/tls.go delete mode 100644 code/go/ecs/tracing.go delete mode 100644 code/go/ecs/url.go delete mode 100644 code/go/ecs/user.go delete mode 100644 code/go/ecs/user_agent.go delete mode 100644 code/go/ecs/version.go delete mode 100644 code/go/ecs/vulnerability.go delete mode 100644 scripts/cmd/gocodegen/gocodegen.go diff --git a/Makefile b/Makefile index 0ce4c42168..c0a08e0bf5 100644 --- a/Makefile +++ b/Makefile @@ -35,10 +35,6 @@ clean: # Clean all markdown files for use-cases find ./use-cases -type f -name '*.md' -not -name 'README.md' -print0 | xargs -0 rm -- -# Alias to generate source code for all languages. -.PHONY: codegen -codegen: gocodegen - # Build the asciidoc book. .PHONY: docs docs: @@ -56,23 +52,13 @@ fmt: ve # Alias to generate everything. .PHONY: generate -generate: template legacy_use_cases codegen generator schema.json +generate: template legacy_use_cases generator schema.json # Run the new generator .PHONY: generator generator: $(PYTHON) scripts/generator.py --include "${INCLUDE}" -# Generate Go code from the schema. -.PHONY: gocodegen -gocodegen: - find code/go/ecs -name '*.go' -not -name 'doc.go' | xargs rm - cd scripts \ - && $(FORCE_GO_MODULES) go run cmd/gocodegen/gocodegen.go \ - -version=$(VERSION) \ - -schema=../schemas \ - -out=../code/go/ecs - # Generate the Use Cases .PHONY: legacy_use_cases legacy_use_cases: ve diff --git a/code/README.md b/code/README.md deleted file mode 100644 index 59d148f9df..0000000000 --- a/code/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# Generated Source Code - -This directory contains source code that is generated from the Elastic Common -Schema (ECS). - -- [Go](go/ecs/) diff --git a/code/go/ecs/README.md b/code/go/ecs/README.md deleted file mode 100644 index 98339a2539..0000000000 --- a/code/go/ecs/README.md +++ /dev/null @@ -1,8 +0,0 @@ -# Go - Generated Source Code - -[![Go Documentation](http://img.shields.io/badge/go-documentation-blue.svg?style=flat-square)][godocs] - -[godocs]: http://godoc.org/github.com/elastic/ecs/code/go/ecs - -This package contains Go source code that is generated from the Elastic Common -Schema (ECS). diff --git a/code/go/ecs/agent.go b/code/go/ecs/agent.go deleted file mode 100644 index 5057c1cd1d..0000000000 --- a/code/go/ecs/agent.go +++ /dev/null @@ -1,53 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The agent fields contain the data about the software entity, if any, that -// collects, detects, or observes events on a host, or takes measurements on a -// host. -// Examples include Beats. Agents may also run on observers. ECS agent.* fields -// shall be populated with details of the agent running on the host or observer -// where the event happened or the measurement was taken. -type Agent struct { - // Version of the agent. - Version string `ecs:"version"` - - // Custom name of the agent. - // This is a name that can be given to an agent. This can be helpful if for - // example two Filebeat instances are running on the same host but a human - // readable separation is needed on which Filebeat instance data is coming - // from. - // If no name is given, the name is often left empty. - Name string `ecs:"name"` - - // Type of the agent. - // The agent type stays always the same and should be given by the agent - // used. In case of Filebeat the agent would always be Filebeat also if two - // Filebeat instances are run on the same machine. - Type string `ecs:"type"` - - // Unique identifier of this agent (if one exists). - // Example: For Beats this would be beat.id. - ID string `ecs:"id"` - - // Ephemeral identifier of this agent (if one exists). - // This id normally changes across restarts, but `agent.id` does not. - EphemeralID string `ecs:"ephemeral_id"` -} diff --git a/code/go/ecs/as.go b/code/go/ecs/as.go deleted file mode 100644 index 32451693f6..0000000000 --- a/code/go/ecs/as.go +++ /dev/null @@ -1,33 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// An autonomous system (AS) is a collection of connected Internet Protocol -// (IP) routing prefixes under the control of one or more network operators on -// behalf of a single administrative entity or domain that presents a common, -// clearly defined routing policy to the internet. -type AS struct { - // Unique number allocated to the autonomous system. The autonomous system - // number (ASN) uniquely identifies each network on the Internet. - Number int64 `ecs:"number"` - - // Organization name. - OrganizationName string `ecs:"organization.name"` -} diff --git a/code/go/ecs/base.go b/code/go/ecs/base.go deleted file mode 100644 index 8960635b75..0000000000 --- a/code/go/ecs/base.go +++ /dev/null @@ -1,52 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -import ( - "time" -) - -// The `base` field set contains all fields which are on the top level. These -// fields are common across all types of events. -type Base struct { - // Date/time when the event originated. - // This is the date/time extracted from the event, typically representing - // when the event was generated by the source. - // If the event source has no original timestamp, this value is typically - // populated by the first time the event was received by the pipeline. - // Required field for all events. - Timestamp time.Time `ecs:"@timestamp"` - - // List of keywords used to tag each event. - Tags string `ecs:"tags"` - - // Custom key/value pairs. - // Can be used to add meta information to events. Should not contain nested - // objects. All values are stored as keyword. - // Example: `docker` and `k8s` labels. - Labels map[string]interface{} `ecs:"labels"` - - // For log events the message field contains the log message, optimized for - // viewing in a log viewer. - // For structured logs without an original message field, other fields can - // be concatenated to form a human-readable summary of the event. - // If multiple messages exist, they can be combined into one message. - Message string `ecs:"message"` -} diff --git a/code/go/ecs/client.go b/code/go/ecs/client.go deleted file mode 100644 index e4384ab0dd..0000000000 --- a/code/go/ecs/client.go +++ /dev/null @@ -1,88 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// A client is defined as the initiator of a network connection for events -// regarding sessions, connections, or bidirectional flow records. -// For TCP events, the client is the initiator of the TCP connection that sends -// the SYN packet(s). For other protocols, the client is generally the -// initiator or requestor in the network transaction. Some systems use the term -// "originator" to refer the client in TCP connections. The client fields -// describe details about the system acting as the client in the network event. -// Client fields are usually populated in conjunction with server fields. -// Client fields are generally not populated for packet-level events. -// Client / server representations can add semantic context to an exchange, -// which is helpful to visualize the data in certain situations. If your -// context falls in that category, you should still ensure that source and -// destination are filled appropriately. -type Client struct { - // Some event client addresses are defined ambiguously. The event will - // sometimes list an IP, a domain or a unix socket. You should always - // store the raw address in the `.address` field. - // Then it should be duplicated to `.ip` or `.domain`, depending on which - // one it is. - Address string `ecs:"address"` - - // IP address of the client. - // Can be one or multiple IPv4 or IPv6 addresses. - IP string `ecs:"ip"` - - // Port of the client. - Port int64 `ecs:"port"` - - // MAC address of the client. - MAC string `ecs:"mac"` - - // Client domain. - Domain string `ecs:"domain"` - - // The highest registered client domain, stripped of the subdomain. - // For example, the registered domain for "foo.google.com" is "google.com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last two labels will not work well for TLDs such as - // "co.uk". - RegisteredDomain string `ecs:"registered_domain"` - - // The effective top level domain (eTLD), also known as the domain suffix, - // is the last part of the domain name. For example, the top level domain - // for google.com is "com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last label will not work well for effective TLDs such - // as "co.uk". - TopLevelDomain string `ecs:"top_level_domain"` - - // Bytes sent from the client to the server. - Bytes int64 `ecs:"bytes"` - - // Packets sent from the client to the server. - Packets int64 `ecs:"packets"` - - // Translated IP of source based NAT sessions (e.g. internal client to - // internet). - // Typically connections traversing load balancers, firewalls, or routers. - NatIP string `ecs:"nat.ip"` - - // Translated port of source based NAT sessions (e.g. internal client to - // internet). - // Typically connections traversing load balancers, firewalls, or routers. - NatPort int64 `ecs:"nat.port"` -} diff --git a/code/go/ecs/cloud.go b/code/go/ecs/cloud.go deleted file mode 100644 index 3a6757b3db..0000000000 --- a/code/go/ecs/cloud.go +++ /dev/null @@ -1,48 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Fields related to the cloud or infrastructure the events are coming from. -type Cloud struct { - // Name of the cloud provider. Example values are aws, azure, gcp, or - // digitalocean. - Provider string `ecs:"provider"` - - // Availability zone in which this host is running. - AvailabilityZone string `ecs:"availability_zone"` - - // Region in which this host is running. - Region string `ecs:"region"` - - // Instance ID of the host machine. - InstanceID string `ecs:"instance.id"` - - // Instance name of the host machine. - InstanceName string `ecs:"instance.name"` - - // Machine type of the host machine. - MachineType string `ecs:"machine.type"` - - // The cloud account or organization id used to identify different entities - // in a multi-tenant environment. - // Examples: AWS account id, Google Cloud ORG Id, or other unique - // identifier. - AccountID string `ecs:"account.id"` -} diff --git a/code/go/ecs/container.go b/code/go/ecs/container.go deleted file mode 100644 index be47d0ce94..0000000000 --- a/code/go/ecs/container.go +++ /dev/null @@ -1,43 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Container fields are used for meta information about the specific container -// that is the source of information. -// These fields help correlate data based containers from any runtime. -type Container struct { - // Runtime managing this container. - Runtime string `ecs:"runtime"` - - // Unique container id. - ID string `ecs:"id"` - - // Name of the image the container was built on. - ImageName string `ecs:"image.name"` - - // Container image tag. - ImageTag string `ecs:"image.tag"` - - // Container name. - Name string `ecs:"name"` - - // Image labels. - Labels map[string]interface{} `ecs:"labels"` -} diff --git a/code/go/ecs/destination.go b/code/go/ecs/destination.go deleted file mode 100644 index 544981c59a..0000000000 --- a/code/go/ecs/destination.go +++ /dev/null @@ -1,76 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Destination fields describe details about the destination of a packet/event. -// Destination fields are usually populated in conjunction with source fields. -type Destination struct { - // Some event destination addresses are defined ambiguously. The event will - // sometimes list an IP, a domain or a unix socket. You should always - // store the raw address in the `.address` field. - // Then it should be duplicated to `.ip` or `.domain`, depending on which - // one it is. - Address string `ecs:"address"` - - // IP address of the destination. - // Can be one or multiple IPv4 or IPv6 addresses. - IP string `ecs:"ip"` - - // Port of the destination. - Port int64 `ecs:"port"` - - // MAC address of the destination. - MAC string `ecs:"mac"` - - // Destination domain. - Domain string `ecs:"domain"` - - // The highest registered destination domain, stripped of the subdomain. - // For example, the registered domain for "foo.google.com" is "google.com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last two labels will not work well for TLDs such as - // "co.uk". - RegisteredDomain string `ecs:"registered_domain"` - - // The effective top level domain (eTLD), also known as the domain suffix, - // is the last part of the domain name. For example, the top level domain - // for google.com is "com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last label will not work well for effective TLDs such - // as "co.uk". - TopLevelDomain string `ecs:"top_level_domain"` - - // Bytes sent from the destination to the source. - Bytes int64 `ecs:"bytes"` - - // Packets sent from the destination to the source. - Packets int64 `ecs:"packets"` - - // Translated ip of destination based NAT sessions (e.g. internet to - // private DMZ) - // Typically used with load balancers, firewalls, or routers. - NatIP string `ecs:"nat.ip"` - - // Port the source session is translated to by NAT Device. - // Typically used with load balancers, firewalls, or routers. - NatPort int64 `ecs:"nat.port"` -} diff --git a/code/go/ecs/dns.go b/code/go/ecs/dns.go deleted file mode 100644 index 5a7c54c7b8..0000000000 --- a/code/go/ecs/dns.go +++ /dev/null @@ -1,129 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Fields describing DNS queries and answers. -// DNS events should either represent a single DNS query prior to getting -// answers (`dns.type:query`) or they should represent a full exchange and -// contain the query details as well as all of the answers that were provided -// for this query (`dns.type:answer`). -type Dns struct { - // The type of DNS event captured, query or answer. - // If your source of DNS events only gives you DNS queries, you should only - // create dns events of type `dns.type:query`. - // If your source of DNS events gives you answers as well, you should - // create one event per query (optionally as soon as the query is seen). - // And a second event containing all query details as well as an array of - // answers. - Type string `ecs:"type"` - - // The DNS packet identifier assigned by the program that generated the - // query. The identifier is copied to the response. - ID string `ecs:"id"` - - // The DNS operation code that specifies the kind of query in the message. - // This value is set by the originator of a query and copied into the - // response. - OpCode string `ecs:"op_code"` - - // Array of 2 letter DNS header flags. - // Expected values are: AA, TC, RD, RA, AD, CD, DO. - HeaderFlags string `ecs:"header_flags"` - - // The DNS response code. - ResponseCode string `ecs:"response_code"` - - // The name being queried. - // If the name field contains non-printable characters (below 32 or above - // 126), those characters should be represented as escaped base 10 integers - // (\DDD). Back slashes and quotes should be escaped. Tabs, carriage - // returns, and line feeds should be converted to \t, \r, and \n - // respectively. - QuestionName string `ecs:"question.name"` - - // The type of record being queried. - QuestionType string `ecs:"question.type"` - - // The class of of records being queried. - QuestionClass string `ecs:"question.class"` - - // The highest registered domain, stripped of the subdomain. - // For example, the registered domain for "foo.google.com" is "google.com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last two labels will not work well for TLDs such as - // "co.uk". - QuestionRegisteredDomain string `ecs:"question.registered_domain"` - - // The effective top level domain (eTLD), also known as the domain suffix, - // is the last part of the domain name. For example, the top level domain - // for google.com is "com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last label will not work well for effective TLDs such - // as "co.uk". - QuestionTopLevelDomain string `ecs:"question.top_level_domain"` - - // The subdomain is all of the labels under the registered_domain. - // If the domain has multiple levels of subdomain, such as - // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", - // with no trailing period. - QuestionSubdomain string `ecs:"question.subdomain"` - - // An array containing an object for each answer section returned by the - // server. - // The main keys that should be present in these objects are defined by - // ECS. Records that have more information may contain more keys than what - // ECS defines. - // Not all DNS data sources give all details about DNS answers. At minimum, - // answer objects must contain the `data` key. If more information is - // available, map as much of it to ECS as possible, and add any additional - // fields to the answer objects as custom fields. - Answers map[string]interface{} `ecs:"answers"` - - // The domain name to which this resource record pertains. - // If a chain of CNAME is being resolved, each answer's `name` should be - // the one that corresponds with the answer's `data`. It should not simply - // be the original `question.name` repeated. - AnswersName string `ecs:"answers.name"` - - // The type of data contained in this resource record. - AnswersType string `ecs:"answers.type"` - - // The class of DNS data contained in this resource record. - AnswersClass string `ecs:"answers.class"` - - // The time interval in seconds that this resource record may be cached - // before it should be discarded. Zero values mean that the data should not - // be cached. - AnswersTtl int64 `ecs:"answers.ttl"` - - // The data describing the resource. - // The meaning of this data depends on the type and class of the resource - // record. - AnswersData string `ecs:"answers.data"` - - // Array containing all IPs seen in `answers.data`. - // The `answers` array can be difficult to use, because of the variety of - // data formats it can contain. Extracting all IP addresses seen in there - // to `dns.resolved_ip` makes it possible to index them as IP addresses, - // and makes them easier to visualize and query for. - ResolvedIP string `ecs:"resolved_ip"` -} diff --git a/code/go/ecs/doc.go b/code/go/ecs/doc.go deleted file mode 100644 index 48c8e74d8c..0000000000 --- a/code/go/ecs/doc.go +++ /dev/null @@ -1,22 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Package ecs contains source code that is generated from the Elastic Common -// Schema (ECS). -// -// https://github.com/elastic/ecs#elastic-common-schema-ecs -package ecs diff --git a/code/go/ecs/ecs.go b/code/go/ecs/ecs.go deleted file mode 100644 index 413878ef0c..0000000000 --- a/code/go/ecs/ecs.go +++ /dev/null @@ -1,30 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Meta-information specific to ECS. -type ECS struct { - // ECS version this event conforms to. `ecs.version` is a required field - // and must exist in all events. - // When querying across multiple indices -- which may conform to slightly - // different ECS versions -- this field lets integrations adjust to the - // schema version of the events. - Version string `ecs:"version"` -} diff --git a/code/go/ecs/error.go b/code/go/ecs/error.go deleted file mode 100644 index 0fea2b4584..0000000000 --- a/code/go/ecs/error.go +++ /dev/null @@ -1,40 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// These fields can represent errors of any kind. -// Use them for errors that happen while fetching events or in cases where the -// event itself contains an error. -type Error struct { - // Unique identifier for the error. - ID string `ecs:"id"` - - // Error message. - Message string `ecs:"message"` - - // Error code describing the error. - Code string `ecs:"code"` - - // The type of the error, for example the class name of the exception. - Type string `ecs:"type"` - - // The stack trace of this error in plain text. - StackTrace string `ecs:"stack_trace"` -} diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go deleted file mode 100644 index 92bf942be0..0000000000 --- a/code/go/ecs/event.go +++ /dev/null @@ -1,176 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -import ( - "time" -) - -// The event fields are used for context information about the log or metric -// event itself. -// A log is defined as an event containing details of something that happened. -// Log events must include the time at which the thing happened. Examples of -// log events include a process starting on a host, a network packet being sent -// from a source to a destination, or a network connection between a client and -// a server being initiated or closed. A metric is defined as an event -// containing one or more numerical or categorical measurements and the time at -// which the measurement was taken. Examples of metric events include memory -// pressure measured on a host, or vulnerabilities measured on a scanned host. -type Event struct { - // Unique ID to describe the event. - ID string `ecs:"id"` - - // Identification code for this event, if one exists. - // Some event sources use event codes to identify messages unambiguously, - // regardless of message language or wording adjustments over time. An - // example of this is the Windows Event ID. - Code string `ecs:"code"` - - // The kind of the event. - // This gives information about what type of information the event - // contains, without being specific to the contents of the event. Examples - // are `event`, `state`, `alarm`. Warning: In future versions of ECS, we - // plan to provide a list of acceptable values for this field, please use - // with caution. - Kind string `ecs:"kind"` - - // Event category. - // This contains high-level information about the contents of the event. It - // is more generic than `event.action`, in the sense that typically a - // category contains multiple actions. Warning: In future versions of ECS, - // we plan to provide a list of acceptable values for this field, please - // use with caution. - Category string `ecs:"category"` - - // The action captured by the event. - // This describes the information in the event. It is more specific than - // `event.category`. Examples are `group-add`, `process-started`, - // `file-created`. The value is normally defined by the implementer. - Action string `ecs:"action"` - - // The outcome of the event. - // If the event describes an action, this fields contains the outcome of - // that action. Examples outcomes are `success` and `failure`. Warning: In - // future versions of ECS, we plan to provide a list of acceptable values - // for this field, please use with caution. - Outcome string `ecs:"outcome"` - - // Reserved for future usage. - // Please avoid using this field for user data. - Type string `ecs:"type"` - - // Name of the module this data is coming from. - // If your monitoring agent supports the concept of modules or plugins to - // process events of a given source (e.g. Apache logs), `event.module` - // should contain the name of this module. - Module string `ecs:"module"` - - // Name of the dataset. - // If an event source publishes more than one type of log or events (e.g. - // access log, error log), the dataset is used to specify which one the - // event comes from. - // It's recommended but not required to start the dataset name with the - // module name, followed by a dot, then the dataset name. - Dataset string `ecs:"dataset"` - - // Source of the event. - // Event transports such as Syslog or the Windows Event Log typically - // mention the source of an event. It can be the name of the software that - // generated the event (e.g. Sysmon, httpd), or of a subsystem of the - // operating system (kernel, Microsoft-Windows-Security-Auditing). - Provider string `ecs:"provider"` - - // The numeric severity of the event according to your event source. - // What the different severity values mean can be different between sources - // and use cases. It's up to the implementer to make sure severities are - // consistent across events from the same source. - // The Syslog severity belongs in `log.syslog.severity.code`. - // `event.severity` is meant to represent the severity according to the - // event source (e.g. firewall, IDS). If the event source does not publish - // its own severity, you may optionally copy the `log.syslog.severity.code` - // to `event.severity`. - Severity int64 `ecs:"severity"` - - // Raw text message of entire event. Used to demonstrate log integrity. - // This field is not indexed and doc_values are disabled. It cannot be - // searched, but it can be retrieved from `_source`. - Original string `ecs:"original"` - - // Hash (perhaps logstash fingerprint) of raw field to be able to - // demonstrate log integrity. - Hash string `ecs:"hash"` - - // Duration of the event in nanoseconds. - // If event.start and event.end are known this value should be the - // difference between the end and start time. - Duration time.Duration `ecs:"duration"` - - // Sequence number of the event. - // The sequence number is a value published by some event sources, to make - // the exact ordering of events unambiguous, regarless of the timestamp - // precision. - Sequence int64 `ecs:"sequence"` - - // This field should be populated when the event's timestamp does not - // include timezone information already (e.g. default Syslog timestamps). - // It's optional otherwise. - // Acceptable timezone formats are: a canonical ID (e.g. - // "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential - // (e.g. "-05:00"). - Timezone string `ecs:"timezone"` - - // event.created contains the date/time when the event was first read by an - // agent, or by your pipeline. - // This field is distinct from @timestamp in that @timestamp typically - // contain the time extracted from the original event. - // In most situations, these two timestamps will be slightly different. The - // difference can be used to calculate the delay between your source - // generating an event, and the time when your agent first processed it. - // This can be used to monitor your agent's or pipeline's ability to keep - // up with your event source. - // In case the two timestamps are identical, @timestamp should be used. - Created time.Time `ecs:"created"` - - // event.start contains the date when the event started or when the - // activity was first observed. - Start time.Time `ecs:"start"` - - // event.end contains the date when the event ended or when the activity - // was last observed. - End time.Time `ecs:"end"` - - // Risk score or priority of the event (e.g. security solutions). Use your - // system's original value here. - RiskScore float64 `ecs:"risk_score"` - - // Normalized risk score or priority of the event, on a scale of 0 to 100. - // This is mainly useful if you use more than one system that assigns risk - // scores, and you want to see a normalized value across all systems. - RiskScoreNorm float64 `ecs:"risk_score_norm"` - - // Timestamp when an event arrived in the central data store. - // This is different from `@timestamp`, which is when the event originally - // occurred. It's also different from `event.created`, which is meant to - // capture the first time an agent saw the event. - // In normal conditions, assuming no tampering, the timestamps should - // chronologically look like this: `@timestamp` < `event.created` < - // `event.ingested`. - Ingested time.Time `ecs:"ingested"` -} diff --git a/code/go/ecs/file.go b/code/go/ecs/file.go deleted file mode 100644 index 0ea31294e6..0000000000 --- a/code/go/ecs/file.go +++ /dev/null @@ -1,92 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -import ( - "time" -) - -// A file is defined as a set of information that has been created on, or has -// existed on a filesystem. -// File objects can be associated with host events, network events, and/or file -// events (e.g., those produced by File Integrity Monitoring [FIM] products or -// services). File fields provide details about the affected file associated -// with the event or metric. -type File struct { - // Name of the file including the extension, without the directory. - Name string `ecs:"name"` - - // Directory where the file is located. - Directory string `ecs:"directory"` - - // Full path to the file. - Path string `ecs:"path"` - - // Target path for symlinks. - TargetPath string `ecs:"target_path"` - - // File extension. - Extension string `ecs:"extension"` - - // File type (file, dir, or symlink). - Type string `ecs:"type"` - - // Device that is the source of the file. - Device string `ecs:"device"` - - // Inode representing the file in the filesystem. - Inode string `ecs:"inode"` - - // The user ID (UID) or security identifier (SID) of the file owner. - UID string `ecs:"uid"` - - // File owner's username. - Owner string `ecs:"owner"` - - // Primary group ID (GID) of the file. - Gid string `ecs:"gid"` - - // Primary group name of the file. - Group string `ecs:"group"` - - // Mode of the file in octal representation. - Mode string `ecs:"mode"` - - // File size in bytes. - // Only relevant when `file.type` is "file". - Size int64 `ecs:"size"` - - // Last time the file content was modified. - Mtime time.Time `ecs:"mtime"` - - // Last time the file attributes or metadata changed. - // Note that changes to the file content will update `mtime`. This implies - // `ctime` will be adjusted at the same time, since `mtime` is an attribute - // of the file. - Ctime time.Time `ecs:"ctime"` - - // File creation time. - // Note that not all filesystems store the creation time. - Created time.Time `ecs:"created"` - - // Last time the file was accessed. - // Note that not all filesystems keep track of access time. - Accessed time.Time `ecs:"accessed"` -} diff --git a/code/go/ecs/geo.go b/code/go/ecs/geo.go deleted file mode 100644 index 89bfd81704..0000000000 --- a/code/go/ecs/geo.go +++ /dev/null @@ -1,53 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Geo fields can carry data about a specific location related to an event. -// This geolocation information can be derived from techniques such as Geo IP, -// or be user-supplied. -type Geo struct { - // Longitude and latitude. - Location string `ecs:"location"` - - // Name of the continent. - ContinentName string `ecs:"continent_name"` - - // Country name. - CountryName string `ecs:"country_name"` - - // Region name. - RegionName string `ecs:"region_name"` - - // City name. - CityName string `ecs:"city_name"` - - // Country ISO code. - CountryIsoCode string `ecs:"country_iso_code"` - - // Region ISO code. - RegionIsoCode string `ecs:"region_iso_code"` - - // User-defined description of a location, at the level of granularity they - // care about. - // Could be the name of their data centers, the floor number, if this - // describes a local physical entity, city names. - // Not typically used in automated geolocation. - Name string `ecs:"name"` -} diff --git a/code/go/ecs/group.go b/code/go/ecs/group.go deleted file mode 100644 index ebcd78e148..0000000000 --- a/code/go/ecs/group.go +++ /dev/null @@ -1,34 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The group fields are meant to represent groups that are relevant to the -// event. -type Group struct { - // Unique identifier for the group on the system/platform. - ID string `ecs:"id"` - - // Name of the group. - Name string `ecs:"name"` - - // Name of the directory the group is a member of. - // For example, an LDAP or Active Directory domain name. - Domain string `ecs:"domain"` -} diff --git a/code/go/ecs/hash.go b/code/go/ecs/hash.go deleted file mode 100644 index 070b4256cc..0000000000 --- a/code/go/ecs/hash.go +++ /dev/null @@ -1,38 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The hash fields represent different hash algorithms and their values. -// Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields -// for other hashes by lowercasing the hash algorithm name and using underscore -// separators as appropriate (snake case, e.g. sha3_512). -type Hash struct { - // MD5 hash. - Md5 string `ecs:"md5"` - - // SHA1 hash. - Sha1 string `ecs:"sha1"` - - // SHA256 hash. - Sha256 string `ecs:"sha256"` - - // SHA512 hash. - Sha512 string `ecs:"sha512"` -} diff --git a/code/go/ecs/host.go b/code/go/ecs/host.go deleted file mode 100644 index 44e52b6c8a..0000000000 --- a/code/go/ecs/host.go +++ /dev/null @@ -1,67 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// A host is defined as a general computing instance. -// ECS host.* fields should be populated with details about the host on which -// the event happened, or from which the measurement was taken. Host types -// include hardware, virtual machines, Docker containers, and Kubernetes nodes. -type Host struct { - // Hostname of the host. - // It normally contains what the `hostname` command returns on the host - // machine. - Hostname string `ecs:"hostname"` - - // Name of the host. - // It can contain what `hostname` returns on Unix systems, the fully - // qualified domain name, or a name specified by the user. The sender - // decides which value to use. - Name string `ecs:"name"` - - // Unique host id. - // As hostname is not always unique, use values that are meaningful in your - // environment. - // Example: The current usage of `beat.name`. - ID string `ecs:"id"` - - // Host ip address. - IP string `ecs:"ip"` - - // Host mac address. - MAC string `ecs:"mac"` - - // Type of host. - // For Cloud providers this can be the machine type like `t2.medium`. If - // vm, this could be the container, for example, or other information - // meaningful in your environment. - Type string `ecs:"type"` - - // Seconds the host has been up. - Uptime int64 `ecs:"uptime"` - - // Operating system architecture. - Architecture string `ecs:"architecture"` - - // Name of the domain of which the host is a member. - // For example, on Windows this could be the host's Active Directory domain - // or NetBIOS domain name. For Linux this could be the domain of the - // host's LDAP provider. - Domain string `ecs:"domain"` -} diff --git a/code/go/ecs/http.go b/code/go/ecs/http.go deleted file mode 100644 index 0f2228502d..0000000000 --- a/code/go/ecs/http.go +++ /dev/null @@ -1,56 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Fields related to HTTP activity. Use the `url` field set to store the url of -// the request. -type Http struct { - // HTTP request method. - // The field value must be normalized to lowercase for querying. See the - // documentation section "Implementing ECS". - RequestMethod string `ecs:"request.method"` - - // The full HTTP request body. - RequestBodyContent string `ecs:"request.body.content"` - - // Referrer for this HTTP request. - RequestReferrer string `ecs:"request.referrer"` - - // HTTP response status code. - ResponseStatusCode int64 `ecs:"response.status_code"` - - // The full HTTP response body. - ResponseBodyContent string `ecs:"response.body.content"` - - // HTTP version. - Version string `ecs:"version"` - - // Total size in bytes of the request (body and headers). - RequestBytes int64 `ecs:"request.bytes"` - - // Size in bytes of the request body. - RequestBodyBytes int64 `ecs:"request.body.bytes"` - - // Total size in bytes of the response (body and headers). - ResponseBytes int64 `ecs:"response.bytes"` - - // Size in bytes of the response body. - ResponseBodyBytes int64 `ecs:"response.body.bytes"` -} diff --git a/code/go/ecs/log.go b/code/go/ecs/log.go deleted file mode 100644 index 015b16da70..0000000000 --- a/code/go/ecs/log.go +++ /dev/null @@ -1,94 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Details about the event's logging mechanism or logging transport. -// The log.* fields are typically populated with details about the logging -// mechanism used to create and/or transport the event. For example, syslog -// details belong under `log.syslog.*`. -// The details specific to your event source are typically not logged under -// `log.*`, but rather in `event.*` or in other ECS fields. -type Log struct { - // Original log level of the log event. - // If the source of the event provides a log level or textual severity, - // this is the one that goes in `log.level`. If your source doesn't specify - // one, you may put your event transport's severity here (e.g. Syslog - // severity). - // Some examples are `warn`, `err`, `i`, `informational`. - Level string `ecs:"level"` - - // This is the original log message and contains the full log message - // before splitting it up in multiple parts. - // In contrast to the `message` field which can contain an extracted part - // of the log message, this field contains the original, full log message. - // It can have already some modifications applied like encoding or new - // lines removed to clean up the log message. - // This field is not indexed and doc_values are disabled so it can't be - // queried but the value can be retrieved from `_source`. - Original string `ecs:"original"` - - // The name of the logger inside an application. This is usually the name - // of the class which initialized the logger, or can be a custom name. - Logger string `ecs:"logger"` - - // The name of the file containing the source code which originated the log - // event. Note that this is not the name of the log file. - OriginFileName string `ecs:"origin.file.name"` - - // The line number of the file containing the source code which originated - // the log event. - OriginFileLine int32 `ecs:"origin.file.line"` - - // The name of the function or method which originated the log event. - OriginFunction string `ecs:"origin.function"` - - // The Syslog metadata of the event, if the event was transmitted via - // Syslog. Please see RFCs 5424 or 3164. - Syslog map[string]interface{} `ecs:"syslog"` - - // The Syslog numeric severity of the log event, if available. - // If the event source publishing via Syslog provides a different numeric - // severity value (e.g. firewall, IDS), your source's numeric severity - // should go to `event.severity`. If the event source does not specify a - // distinct severity, you can optionally copy the Syslog severity to - // `event.severity`. - SyslogSeverityCode int64 `ecs:"syslog.severity.code"` - - // The Syslog numeric severity of the log event, if available. - // If the event source publishing via Syslog provides a different severity - // value (e.g. firewall, IDS), your source's text severity should go to - // `log.level`. If the event source does not specify a distinct severity, - // you can optionally copy the Syslog severity to `log.level`. - SyslogSeverityName string `ecs:"syslog.severity.name"` - - // The Syslog numeric facility of the log event, if available. - // According to RFCs 5424 and 3164, this value should be an integer between - // 0 and 23. - SyslogFacilityCode int64 `ecs:"syslog.facility.code"` - - // The Syslog text-based facility of the log event, if available. - SyslogFacilityName string `ecs:"syslog.facility.name"` - - // Syslog numeric priority of the event, if available. - // According to RFCs 5424 and 3164, the priority is 8 * facility + - // severity. This number is therefore expected to contain a value between 0 - // and 191. - SyslogPriority int64 `ecs:"syslog.priority"` -} diff --git a/code/go/ecs/network.go b/code/go/ecs/network.go deleted file mode 100644 index 1175227f36..0000000000 --- a/code/go/ecs/network.go +++ /dev/null @@ -1,95 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The network is defined as the communication path over which a host or -// network event happens. -// The network.* fields should be populated with details about the network -// activity associated with an event. -type Network struct { - // Name given by operators to sections of their network. - Name string `ecs:"name"` - - // In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, - // pim, etc - // The field value must be normalized to lowercase for querying. See the - // documentation section "Implementing ECS". - Type string `ecs:"type"` - - // IANA Protocol Number - // (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). - // Standardized list of protocols. This aligns well with NetFlow and sFlow - // related logs which use the IANA Protocol Number. - IANANumber string `ecs:"iana_number"` - - // Same as network.iana_number, but instead using the Keyword name of the - // transport layer (udp, tcp, ipv6-icmp, etc.) - // The field value must be normalized to lowercase for querying. See the - // documentation section "Implementing ECS". - Transport string `ecs:"transport"` - - // A name given to an application level protocol. This can be arbitrarily - // assigned for things like microservices, but also apply to things like - // skype, icq, facebook, twitter. This would be used in situations where - // the vendor or service can be decoded such as from the source/dest IP - // owners, ports, or wire format. - // The field value must be normalized to lowercase for querying. See the - // documentation section "Implementing ECS". - Application string `ecs:"application"` - - // L7 Network protocol name. ex. http, lumberjack, transport protocol. - // The field value must be normalized to lowercase for querying. See the - // documentation section "Implementing ECS". - Protocol string `ecs:"protocol"` - - // Direction of the network traffic. - // Recommended values are: - // * inbound - // * outbound - // * internal - // * external - // * unknown - // - // When mapping events from a host-based monitoring context, populate this - // field from the host's point of view. - // When mapping events from a network or perimeter-based monitoring - // context, populate this field from the point of view of your network - // perimeter. - Direction string `ecs:"direction"` - - // Host IP address when the source IP address is the proxy. - ForwardedIP string `ecs:"forwarded_ip"` - - // A hash of source and destination IPs and ports, as well as the protocol - // used in a communication. This is a tool-agnostic standard to identify - // flows. - // Learn more at https://github.com/corelight/community-id-spec. - CommunityID string `ecs:"community_id"` - - // Total bytes transferred in both directions. - // If `source.bytes` and `destination.bytes` are known, `network.bytes` is - // their sum. - Bytes int64 `ecs:"bytes"` - - // Total packets transferred in both directions. - // If `source.packets` and `destination.packets` are known, - // `network.packets` is their sum. - Packets int64 `ecs:"packets"` -} diff --git a/code/go/ecs/observer.go b/code/go/ecs/observer.go deleted file mode 100644 index c7b65f84af..0000000000 --- a/code/go/ecs/observer.go +++ /dev/null @@ -1,68 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// An observer is defined as a special network, security, or application device -// used to detect, observe, or create network, security, or application-related -// events and metrics. -// This could be a custom hardware appliance or a server that has been -// configured to run special network, security, or application software. -// Examples include firewalls, web proxies, intrusion detection/prevention -// systems, network monitoring sensors, web application firewalls, data loss -// prevention systems, and APM servers. The observer.* fields shall be -// populated with details of the system, if any, that detects, observes and/or -// creates a network, security, or application event or metric. Message queues -// and ETL components used in processing events or metrics are not considered -// observers in ECS. -type Observer struct { - // MAC address of the observer - MAC string `ecs:"mac"` - - // IP address of the observer. - IP string `ecs:"ip"` - - // Hostname of the observer. - Hostname string `ecs:"hostname"` - - // Custom name of the observer. - // This is a name that can be given to an observer. This can be helpful for - // example if multiple firewalls of the same model are used in an - // organization. - // If no custom name is needed, the field can be left empty. - Name string `ecs:"name"` - - // The product name of the observer. - Product string `ecs:"product"` - - // Vendor name of the observer. - Vendor string `ecs:"vendor"` - - // Observer version. - Version string `ecs:"version"` - - // Observer serial number. - SerialNumber string `ecs:"serial_number"` - - // The type of the observer the data is coming from. - // There is no predefined list of observer types. Some examples are - // `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM - // server`. - Type string `ecs:"type"` -} diff --git a/code/go/ecs/organization.go b/code/go/ecs/organization.go deleted file mode 100644 index f60af6d90b..0000000000 --- a/code/go/ecs/organization.go +++ /dev/null @@ -1,32 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The organization fields enrich data with information about the company or -// entity the data is associated with. -// These fields help you arrange or filter data stored in an index by one or -// multiple organizations. -type Organization struct { - // Organization name. - Name string `ecs:"name"` - - // Unique identifier for the organization. - ID string `ecs:"id"` -} diff --git a/code/go/ecs/os.go b/code/go/ecs/os.go deleted file mode 100644 index a118950bbf..0000000000 --- a/code/go/ecs/os.go +++ /dev/null @@ -1,41 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The OS fields contain information about the operating system. -type Os struct { - // Operating system platform (such centos, ubuntu, windows). - Platform string `ecs:"platform"` - - // Operating system name, without the version. - Name string `ecs:"name"` - - // Operating system name, including the version or code name. - Full string `ecs:"full"` - - // OS family (such as redhat, debian, freebsd, windows). - Family string `ecs:"family"` - - // Operating system version as a raw string. - Version string `ecs:"version"` - - // Operating system kernel version as a raw string. - Kernel string `ecs:"kernel"` -} diff --git a/code/go/ecs/package.go b/code/go/ecs/package.go deleted file mode 100644 index 13d23c4ee2..0000000000 --- a/code/go/ecs/package.go +++ /dev/null @@ -1,74 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -import ( - "time" -) - -// These fields contain information about an installed software package. It -// contains general information about a package, such as name, version or size. -// It also contains installation details, such as time or location. -type Package struct { - // Package name - Name string `ecs:"name"` - - // Package version - Version string `ecs:"version"` - - // Additional information about the build version of the installed package. - // For example use the commit SHA of a non-released package. - BuildVersion string `ecs:"build_version"` - - // Description of the package. - Description string `ecs:"description"` - - // Package size in bytes. - Size int64 `ecs:"size"` - - // Time when package was installed. - Installed time.Time `ecs:"installed"` - - // Path where the package is installed. - Path string `ecs:"path"` - - // Package architecture. - Architecture string `ecs:"architecture"` - - // Checksum of the installed package for verification. - Checksum string `ecs:"checksum"` - - // Indicating how the package was installed, e.g. user-local, global. - InstallScope string `ecs:"install_scope"` - - // License under which the package was released. - // Use a short name, e.g. the license identifier from SPDX License List - // where possible (https://spdx.org/licenses/). - License string `ecs:"license"` - - // Home page or reference URL of the software in this package, if - // available. - Reference string `ecs:"reference"` - - // Type of package. - // This should contain the package file type, rather than the package - // manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. - Type string `ecs:"type"` -} diff --git a/code/go/ecs/process.go b/code/go/ecs/process.go deleted file mode 100644 index 64767d8992..0000000000 --- a/code/go/ecs/process.go +++ /dev/null @@ -1,145 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -import ( - "time" -) - -// These fields contain information about a process. -// These fields can help you correlate metrics information with a process -// id/name from a log message. The `process.pid` often stays in the metric -// itself and is copied to the global field for correlation. -type Process struct { - // Process id. - PID int64 `ecs:"pid"` - - // Process id. - ParentPID int64 `ecs:"parent.pid"` - - // Process name. - // Sometimes called program name or similar. - Name string `ecs:"name"` - - // Process name. - // Sometimes called program name or similar. - ParentName string `ecs:"parent.name"` - - // Parent process' pid. - PPID int64 `ecs:"ppid"` - - // Parent process' pid. - ParentPPID int64 `ecs:"parent.ppid"` - - // Identifier of the group of processes the process belongs to. - PGID int64 `ecs:"pgid"` - - // Identifier of the group of processes the process belongs to. - ParentPGID int64 `ecs:"parent.pgid"` - - // Full command line that started the process, including the absolute path - // to the executable, and all arguments. - // Some arguments may be filtered to protect sensitive information. - CommandLine string `ecs:"command_line"` - - // Full command line that started the process, including the absolute path - // to the executable, and all arguments. - // Some arguments may be filtered to protect sensitive information. - ParentCommandLine string `ecs:"parent.command_line"` - - // Array of process arguments, starting with the absolute path to the - // executable. - // May be filtered to protect sensitive information. - Args []string `ecs:"args"` - - // Array of process arguments. - // May be filtered to protect sensitive information. - ParentArgs string `ecs:"parent.args"` - - // Length of the process.args array. - // This field can be useful for querying or performing bucket analysis on - // how many arguments were provided to start a process. More arguments may - // be an indication of suspicious activity. - ArgsCount int64 `ecs:"args_count"` - - // Length of the process.args array. - // This field can be useful for querying or performing bucket analysis on - // how many arguments were provided to start a process. More arguments may - // be an indication of suspicious activity. - ParentArgsCount int64 `ecs:"parent.args_count"` - - // Absolute path to the process executable. - Executable string `ecs:"executable"` - - // Absolute path to the process executable. - ParentExecutable string `ecs:"parent.executable"` - - // Process title. - // The proctitle, some times the same as process name. Can also be - // different: for example a browser setting its title to the web page - // currently opened. - Title string `ecs:"title"` - - // Process title. - // The proctitle, some times the same as process name. Can also be - // different: for example a browser setting its title to the web page - // currently opened. - ParentTitle string `ecs:"parent.title"` - - // Thread ID. - ThreadID int64 `ecs:"thread.id"` - - // Thread ID. - ParentThreadID int64 `ecs:"parent.thread.id"` - - // Thread name. - ThreadName string `ecs:"thread.name"` - - // Thread name. - ParentThreadName string `ecs:"parent.thread.name"` - - // The time the process started. - Start time.Time `ecs:"start"` - - // The time the process started. - ParentStart time.Time `ecs:"parent.start"` - - // Seconds the process has been up. - Uptime int64 `ecs:"uptime"` - - // Seconds the process has been up. - ParentUptime int64 `ecs:"parent.uptime"` - - // The working directory of the process. - WorkingDirectory string `ecs:"working_directory"` - - // The working directory of the process. - ParentWorkingDirectory string `ecs:"parent.working_directory"` - - // The exit code of the process, if this is a termination event. - // The field should be absent if there is no exit code for the event (e.g. - // process start). - ExitCode int64 `ecs:"exit_code"` - - // The exit code of the process, if this is a termination event. - // The field should be absent if there is no exit code for the event (e.g. - // process start). - ParentExitCode int64 `ecs:"parent.exit_code"` -} diff --git a/code/go/ecs/related.go b/code/go/ecs/related.go deleted file mode 100644 index 43fea9347e..0000000000 --- a/code/go/ecs/related.go +++ /dev/null @@ -1,33 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// This field set is meant to facilitate pivoting around a piece of data. -// Some pieces of information can be seen in many places in an ECS event. To -// facilitate searching for them, store an array of all seen values to their -// corresponding field in `related.`. -// A concrete example is IP addresses, which can be under host, observer, -// source, destination, client, server, and network.forwarded_ip. If you append -// all IPs to `related.ip`, you can then search for a given IP trivially, no -// matter where it appeared, by querying `related.ip:a.b.c.d`. -type Related struct { - // All of the IPs seen on your event. - IP string `ecs:"ip"` -} diff --git a/code/go/ecs/server.go b/code/go/ecs/server.go deleted file mode 100644 index a4cbea6460..0000000000 --- a/code/go/ecs/server.go +++ /dev/null @@ -1,88 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// A Server is defined as the responder in a network connection for events -// regarding sessions, connections, or bidirectional flow records. -// For TCP events, the server is the receiver of the initial SYN packet(s) of -// the TCP connection. For other protocols, the server is generally the -// responder in the network transaction. Some systems actually use the term -// "responder" to refer the server in TCP connections. The server fields -// describe details about the system acting as the server in the network event. -// Server fields are usually populated in conjunction with client fields. -// Server fields are generally not populated for packet-level events. -// Client / server representations can add semantic context to an exchange, -// which is helpful to visualize the data in certain situations. If your -// context falls in that category, you should still ensure that source and -// destination are filled appropriately. -type Server struct { - // Some event server addresses are defined ambiguously. The event will - // sometimes list an IP, a domain or a unix socket. You should always - // store the raw address in the `.address` field. - // Then it should be duplicated to `.ip` or `.domain`, depending on which - // one it is. - Address string `ecs:"address"` - - // IP address of the server. - // Can be one or multiple IPv4 or IPv6 addresses. - IP string `ecs:"ip"` - - // Port of the server. - Port int64 `ecs:"port"` - - // MAC address of the server. - MAC string `ecs:"mac"` - - // Server domain. - Domain string `ecs:"domain"` - - // The highest registered server domain, stripped of the subdomain. - // For example, the registered domain for "foo.google.com" is "google.com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last two labels will not work well for TLDs such as - // "co.uk". - RegisteredDomain string `ecs:"registered_domain"` - - // The effective top level domain (eTLD), also known as the domain suffix, - // is the last part of the domain name. For example, the top level domain - // for google.com is "com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last label will not work well for effective TLDs such - // as "co.uk". - TopLevelDomain string `ecs:"top_level_domain"` - - // Bytes sent from the server to the client. - Bytes int64 `ecs:"bytes"` - - // Packets sent from the server to the client. - Packets int64 `ecs:"packets"` - - // Translated ip of destination based NAT sessions (e.g. internet to - // private DMZ) - // Typically used with load balancers, firewalls, or routers. - NatIP string `ecs:"nat.ip"` - - // Translated port of destination based NAT sessions (e.g. internet to - // private DMZ) - // Typically used with load balancers, firewalls, or routers. - NatPort int64 `ecs:"nat.port"` -} diff --git a/code/go/ecs/service.go b/code/go/ecs/service.go deleted file mode 100644 index 7ccbda2151..0000000000 --- a/code/go/ecs/service.go +++ /dev/null @@ -1,76 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The service fields describe the service for or from which the data was -// collected. -// These fields help you find and correlate logs for a specific service and -// version. -type Service struct { - // Unique identifier of the running service. If the service is comprised of - // many nodes, the `service.id` should be the same for all nodes. - // This id should uniquely identify the service. This makes it possible to - // correlate logs and metrics for one specific service, no matter which - // particular node emitted the event. - // Note that if you need to see the events from one specific host of the - // service, you should filter on that `host.name` or `host.id` instead. - ID string `ecs:"id"` - - // Name of the service data is collected from. - // The name of the service is normally user given. This allows for - // distributed services that run on multiple hosts to correlate the related - // instances based on the name. - // In the case of Elasticsearch the `service.name` could contain the - // cluster name. For Beats the `service.name` is by default a copy of the - // `service.type` field if no name is specified. - Name string `ecs:"name"` - - // Name of a service node. - // This allows for two nodes of the same service running on the same host - // to be differentiated. Therefore, `service.node.name` should typically be - // unique across nodes of a given service. - // In the case of Elasticsearch, the `service.node.name` could contain the - // unique node name within the Elasticsearch cluster. In cases where the - // service doesn't have the concept of a node name, the host name or - // container name can be used to distinguish running instances that make up - // this service. If those do not provide uniqueness (e.g. multiple - // instances of the service running on the same host) - the node name can - // be manually set. - NodeName string `ecs:"node.name"` - - // The type of the service data is collected from. - // The type can be used to group and correlate logs and metrics from one - // service type. - // Example: If logs or metrics are collected from Elasticsearch, - // `service.type` would be `elasticsearch`. - Type string `ecs:"type"` - - // Current state of the service. - State string `ecs:"state"` - - // Version of the service the data was collected from. - // This allows to look at a data set only for a specific version of a - // service. - Version string `ecs:"version"` - - // Ephemeral identifier of this service (if one exists). - // This id normally changes across restarts, but `service.id` does not. - EphemeralID string `ecs:"ephemeral_id"` -} diff --git a/code/go/ecs/source.go b/code/go/ecs/source.go deleted file mode 100644 index 404831ebd4..0000000000 --- a/code/go/ecs/source.go +++ /dev/null @@ -1,77 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Source fields describe details about the source of a packet/event. -// Source fields are usually populated in conjunction with destination fields. -type Source struct { - // Some event source addresses are defined ambiguously. The event will - // sometimes list an IP, a domain or a unix socket. You should always - // store the raw address in the `.address` field. - // Then it should be duplicated to `.ip` or `.domain`, depending on which - // one it is. - Address string `ecs:"address"` - - // IP address of the source. - // Can be one or multiple IPv4 or IPv6 addresses. - IP string `ecs:"ip"` - - // Port of the source. - Port int64 `ecs:"port"` - - // MAC address of the source. - MAC string `ecs:"mac"` - - // Source domain. - Domain string `ecs:"domain"` - - // The highest registered source domain, stripped of the subdomain. - // For example, the registered domain for "foo.google.com" is "google.com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last two labels will not work well for TLDs such as - // "co.uk". - RegisteredDomain string `ecs:"registered_domain"` - - // The effective top level domain (eTLD), also known as the domain suffix, - // is the last part of the domain name. For example, the top level domain - // for google.com is "com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last label will not work well for effective TLDs such - // as "co.uk". - TopLevelDomain string `ecs:"top_level_domain"` - - // Bytes sent from the source to the destination. - Bytes int64 `ecs:"bytes"` - - // Packets sent from the source to the destination. - Packets int64 `ecs:"packets"` - - // Translated ip of source based NAT sessions (e.g. internal client to - // internet) - // Typically connections traversing load balancers, firewalls, or routers. - NatIP string `ecs:"nat.ip"` - - // Translated port of source based NAT sessions. (e.g. internal client to - // internet) - // Typically used with load balancers, firewalls, or routers. - NatPort int64 `ecs:"nat.port"` -} diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go deleted file mode 100644 index 27567604ec..0000000000 --- a/code/go/ecs/threat.go +++ /dev/null @@ -1,66 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Fields to classify events and alerts according to a threat taxonomy such as -// the Mitre ATT&CK framework. -// These fields are for users to classify alerts from all of their sources -// (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are -// meant to capture the high level category of the threat (e.g. "impact"). The -// threat.technique.* fields are meant to capture which kind of approach is -// used by this detected threat, to accomplish the goal (e.g. "endpoint denial -// of service"). -type Threat struct { - // Name of the threat framework used to further categorize and classify the - // tactic and technique of the reported threat. Framework classification - // can be provided by detecting systems, evaluated at ingest time, or - // retrospectively tagged to events. - Framework string `ecs:"framework"` - - // Name of the type of tactic used by this threat. You can use the Mitre - // ATT&CK Matrix Tactic categorization, for example. (ex. - // https://attack.mitre.org/tactics/TA0040/ ) - TacticName string `ecs:"tactic.name"` - - // The id of tactic used by this threat. You can use the Mitre ATT&CK - // Matrix Tactic categorization, for example. (ex. - // https://attack.mitre.org/tactics/TA0040/ ) - TacticID string `ecs:"tactic.id"` - - // The reference url of tactic used by this threat. You can use the Mitre - // ATT&CK Matrix Tactic categorization, for example. (ex. - // https://attack.mitre.org/tactics/TA0040/ ) - TacticReference string `ecs:"tactic.reference"` - - // The name of technique used by this tactic. You can use the Mitre ATT&CK - // Matrix Tactic categorization, for example. (ex. - // https://attack.mitre.org/techniques/T1499/ ) - TechniqueName string `ecs:"technique.name"` - - // The id of technique used by this tactic. You can use the Mitre ATT&CK - // Matrix Tactic categorization, for example. (ex. - // https://attack.mitre.org/techniques/T1499/ ) - TechniqueID string `ecs:"technique.id"` - - // The reference url of technique used by this tactic. You can use the - // Mitre ATT&CK Matrix Tactic categorization, for example. (ex. - // https://attack.mitre.org/techniques/T1499/ ) - TechniqueReference string `ecs:"technique.reference"` -} diff --git a/code/go/ecs/tls.go b/code/go/ecs/tls.go deleted file mode 100644 index fdb5144020..0000000000 --- a/code/go/ecs/tls.go +++ /dev/null @@ -1,154 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -import ( - "time" -) - -// Fields related to a TLS connection. These fields focus on the TLS protocol -// itself and intentionally avoids in-depth analysis of the related x.509 -// certificate files. -type Tls struct { - // Numeric part of the version parsed from the original string. - Version string `ecs:"version"` - - // Normalized lowercase protocol name parsed from original string. - VersionProtocol string `ecs:"version_protocol"` - - // String indicating the cipher used during the current connection. - Cipher string `ecs:"cipher"` - - // String indicating the curve used for the given cipher, when applicable. - Curve string `ecs:"curve"` - - // Boolean flag indicating if this TLS connection was resumed from an - // existing TLS negotiation. - Resumed bool `ecs:"resumed"` - - // Boolean flag indicating if the TLS negotiation was successful and - // transitioned to an encrypted tunnel. - Established bool `ecs:"established"` - - // String indicating the protocol being tunneled. Per the values in the - // IANA registry - // (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), - // this string should be lower case. - NextProtocol string `ecs:"next_protocol"` - - // A hash that identifies clients based on how they perform an SSL/TLS - // handshake. - ClientJa3 string `ecs:"client.ja3"` - - // Also called an SNI, this tells the server which hostname to which the - // client is attempting to connect. When this value is available, it should - // get copied to `destination.domain`. - ClientServerName string `ecs:"client.server_name"` - - // Array of ciphers offered by the client during the client hello. - ClientSupportedCiphers string `ecs:"client.supported_ciphers"` - - // Distinguished name of subject of the x.509 certificate presented by the - // client. - ClientSubject string `ecs:"client.subject"` - - // Distinguished name of subject of the issuer of the x.509 certificate - // presented by the client. - ClientIssuer string `ecs:"client.issuer"` - - // Date/Time indicating when client certificate is first considered valid. - ClientNotBefore time.Time `ecs:"client.not_before"` - - // Date/Time indicating when client certificate is no longer considered - // valid. - ClientNotAfter time.Time `ecs:"client.not_after"` - - // Array of PEM-encoded certificates that make up the certificate chain - // offered by the client. This is usually mutually-exclusive of - // `client.certificate` since that value should be the first certificate in - // the chain. - ClientCertificateChain string `ecs:"client.certificate_chain"` - - // PEM-encoded stand-alone certificate offered by the client. This is - // usually mutually-exclusive of `client.certificate_chain` since this - // value also exists in that list. - ClientCertificate string `ecs:"client.certificate"` - - // Certificate fingerprint using the MD5 digest of DER-encoded version of - // certificate offered by the client. For consistency with other hash - // values, this value should be formatted as an uppercase hash. - ClientHashMd5 string `ecs:"client.hash.md5"` - - // Certificate fingerprint using the SHA1 digest of DER-encoded version of - // certificate offered by the client. For consistency with other hash - // values, this value should be formatted as an uppercase hash. - ClientHashSha1 string `ecs:"client.hash.sha1"` - - // Certificate fingerprint using the SHA256 digest of DER-encoded version - // of certificate offered by the client. For consistency with other hash - // values, this value should be formatted as an uppercase hash. - ClientHashSha256 string `ecs:"client.hash.sha256"` - - // A hash that identifies servers based on how they perform an SSL/TLS - // handshake. - ServerJa3s string `ecs:"server.ja3s"` - - // Array of ciphers offered by the server during the server hello. - ServerSupportedCiphers string `ecs:"server.supported_ciphers"` - - // Subject of the x.509 certificate presented by the server. - ServerSubject string `ecs:"server.subject"` - - // Subject of the issuer of the x.509 certificate presented by the server. - ServerIssuer string `ecs:"server.issuer"` - - // Timestamp indicating when server certificate is first considered valid. - ServerNotBefore time.Time `ecs:"server.not_before"` - - // Timestamp indicating when server certificate is no longer considered - // valid. - ServerNotAfter time.Time `ecs:"server.not_after"` - - // Array of PEM-encoded certificates that make up the certificate chain - // offered by the server. This is usually mutually-exclusive of - // `server.certificate` since that value should be the first certificate in - // the chain. - ServerCertificateChain string `ecs:"server.certificate_chain"` - - // PEM-encoded stand-alone certificate offered by the server. This is - // usually mutually-exclusive of `server.certificate_chain` since this - // value also exists in that list. - ServerCertificate string `ecs:"server.certificate"` - - // Certificate fingerprint using the MD5 digest of DER-encoded version of - // certificate offered by the server. For consistency with other hash - // values, this value should be formatted as an uppercase hash. - ServerHashMd5 string `ecs:"server.hash.md5"` - - // Certificate fingerprint using the SHA1 digest of DER-encoded version of - // certificate offered by the server. For consistency with other hash - // values, this value should be formatted as an uppercase hash. - ServerHashSha1 string `ecs:"server.hash.sha1"` - - // Certificate fingerprint using the SHA256 digest of DER-encoded version - // of certificate offered by the server. For consistency with other hash - // values, this value should be formatted as an uppercase hash. - ServerHashSha256 string `ecs:"server.hash.sha256"` -} diff --git a/code/go/ecs/tracing.go b/code/go/ecs/tracing.go deleted file mode 100644 index 7d5435c44d..0000000000 --- a/code/go/ecs/tracing.go +++ /dev/null @@ -1,37 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Distributed tracing makes it possible to analyze performance throughout a -// microservice architecture all in one view. This is accomplished by tracing -// all of the requests - from the initial web request in the front-end service -// - to queries made through multiple back-end services. -type Tracing struct { - // Unique identifier of the trace. - // A trace groups multiple events like transactions that belong together. - // For example, a user request handled by multiple inter-connected - // services. - TraceID string `ecs:"trace.id"` - - // Unique identifier of the transaction. - // A transaction is the highest level of work measured within a service, - // such as a request to a server. - TransactionID string `ecs:"transaction.id"` -} diff --git a/code/go/ecs/url.go b/code/go/ecs/url.go deleted file mode 100644 index 087684ed45..0000000000 --- a/code/go/ecs/url.go +++ /dev/null @@ -1,94 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// URL fields provide support for complete or partial URLs, and supports the -// breaking down into scheme, domain, path, and so on. -type Url struct { - // Unmodified original url as seen in the event source. - // Note that in network monitoring, the observed URL may be a full URL, - // whereas in access logs, the URL is often just represented as a path. - // This field is meant to represent the URL as it was observed, complete or - // not. - Original string `ecs:"original"` - - // If full URLs are important to your use case, they should be stored in - // `url.full`, whether this field is reconstructed or present in the event - // source. - Full string `ecs:"full"` - - // Scheme of the request, such as "https". - // Note: The `:` is not part of the scheme. - Scheme string `ecs:"scheme"` - - // Domain of the url, such as "www.elastic.co". - // In some cases a URL may refer to an IP and/or port directly, without a - // domain name. In this case, the IP address would go to the `domain` - // field. - Domain string `ecs:"domain"` - - // The highest registered url domain, stripped of the subdomain. - // For example, the registered domain for "foo.google.com" is "google.com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last two labels will not work well for TLDs such as - // "co.uk". - RegisteredDomain string `ecs:"registered_domain"` - - // The effective top level domain (eTLD), also known as the domain suffix, - // is the last part of the domain name. For example, the top level domain - // for google.com is "com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last label will not work well for effective TLDs such - // as "co.uk". - TopLevelDomain string `ecs:"top_level_domain"` - - // Port of the request, such as 443. - Port int64 `ecs:"port"` - - // Path of the request, such as "/search". - Path string `ecs:"path"` - - // The query field describes the query string of the request, such as - // "q=elasticsearch". - // The `?` is excluded from the query string. If a URL contains no `?`, - // there is no query field. If there is a `?` but no query, the query field - // exists with an empty string. The `exists` query can be used to - // differentiate between the two cases. - Query string `ecs:"query"` - - // The field contains the file extension from the original request url. - // The file extension is only set if it exists, as not every url has a file - // extension. - // The leading period must not be included. For example, the value must be - // "png", not ".png". - Extension string `ecs:"extension"` - - // Portion of the url after the `#`, such as "top". - // The `#` is not part of the fragment. - Fragment string `ecs:"fragment"` - - // Username of the request. - Username string `ecs:"username"` - - // Password of the request. - Password string `ecs:"password"` -} diff --git a/code/go/ecs/user.go b/code/go/ecs/user.go deleted file mode 100644 index e80effb771..0000000000 --- a/code/go/ecs/user.go +++ /dev/null @@ -1,47 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The user fields describe information about the user that is relevant to the -// event. -// Fields can have one entry or multiple entries. If a user has more than one -// id, provide an array that includes all of them. -type User struct { - // One or multiple unique identifiers of the user. - ID string `ecs:"id"` - - // Short name or login of the user. - Name string `ecs:"name"` - - // User's full name, if available. - FullName string `ecs:"full_name"` - - // User email address. - Email string `ecs:"email"` - - // Unique user hash to correlate information for a user in anonymized form. - // Useful if `user.id` or `user.name` contain confidential information and - // cannot be used. - Hash string `ecs:"hash"` - - // Name of the directory the user is a member of. - // For example, an LDAP or Active Directory domain name. - Domain string `ecs:"domain"` -} diff --git a/code/go/ecs/user_agent.go b/code/go/ecs/user_agent.go deleted file mode 100644 index f2e9268a10..0000000000 --- a/code/go/ecs/user_agent.go +++ /dev/null @@ -1,37 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The user_agent fields normally come from a browser request. -// They often show up in web service logs coming from the parsed user agent -// string. -type UserAgent struct { - // Unparsed version of the user_agent. - Original string `ecs:"original"` - - // Name of the user agent. - Name string `ecs:"name"` - - // Version of the user agent. - Version string `ecs:"version"` - - // Name of the device. - DeviceName string `ecs:"device.name"` -} diff --git a/code/go/ecs/version.go b/code/go/ecs/version.go deleted file mode 100644 index 811991743f..0000000000 --- a/code/go/ecs/version.go +++ /dev/null @@ -1,23 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Version is the Elastic Common Schema version from which this was generated. -const Version = "1.2.0-dev" diff --git a/code/go/ecs/vulnerability.go b/code/go/ecs/vulnerability.go deleted file mode 100644 index 97b0402856..0000000000 --- a/code/go/ecs/vulnerability.go +++ /dev/null @@ -1,93 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The vulnerability fields describe information about a vulnerability that is -// relevant to an event. -type Vulnerability struct { - // The classification of the vulnerability scoring system. For example - // (https://www.first.org/cvss/) - Classification string `ecs:"classification"` - - // The type of identifier used for this vulnerability. For example - // (https://cve.mitre.org/about/) - Enumeration string `ecs:"enumeration"` - - // A resource that provides additional information, context, and - // mitigations for the identified vulnerability. - Reference string `ecs:"reference"` - - // Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - // Base scores cover an assessment for exploitability metrics (attack - // vector, complexity, privileges, and user interaction), impact metrics - // (confidentialy, integrity, and availability), and scope. For example - // (https://www.first.org/cvss/specification-document) - ScoreBase float64 `ecs:"score.base"` - - // Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - // Temporal scores cover an assessment for code maturity, remediation - // level, and confidence. For example - // (https://www.first.org/cvss/specification-document) - ScoreTemporal float64 `ecs:"score.temporal"` - - // Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - // Environmental scores cover an assessment for any modified Base metrics, - // confidentiality, integrity, and availability requirements. For example - // (https://www.first.org/cvss/specification-document) - ScoreEnvironmental float64 `ecs:"score.environmental"` - - // The National Vulnerability Database (NVD) provides qualitative severity - // rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges - // in addition to the severity ratings for CVSS v3.0 as they are defined in - // the CVSS v3.0 specification. - // CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based - // non-profit organization, whose mission is to help computer security - // incident response teams across the world. For example - // (https://nvd.nist.gov/vuln-metrics/cvss) - ScoreVersion string `ecs:"score.version"` - - // The type of system or architecture that the vulnerability affects. These - // may be platform-specific (for example, Debian or SUSE) or general (for - // example, Database or Firewall). For example - // (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm) - // This field must be an array. - Category string `ecs:"category"` - - // The description of the vulnerability that provides additional context of - // the vulnerability. For example - // (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) - Description string `ecs:"description"` - - // The identification (ID) is the number portion of a vulnerability entry. - // It includes a unique identification number for the vulnerability. For - // example (https://cve.mitre.org/about/faqs.html#what_is_cve_id) - ID string `ecs:"id"` - - // The name of the vulnerability scanner vendor. - ScannerVendor string `ecs:"scanner.vendor"` - - // The severity of the vulnerability can help with metrics and internal - // prioritization regarding remediation. For example - // (https://nvd.nist.gov/vuln-metrics/cvss) - Severity string `ecs:"severity"` - - // The report or scan identification number. - ReportID string `ecs:"report_id"` -} diff --git a/scripts/cmd/gocodegen/gocodegen.go b/scripts/cmd/gocodegen/gocodegen.go deleted file mode 100644 index c202691ce0..0000000000 --- a/scripts/cmd/gocodegen/gocodegen.go +++ /dev/null @@ -1,315 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package main - -import ( - "bufio" - "bytes" - "flag" - "io/ioutil" - "log" - "os" - "path/filepath" - "strings" - "text/template" - "unicode" - - wordwrap "github.com/mitchellh/go-wordwrap" - - "github.com/elastic/beats/libbeat/common" - "github.com/elastic/go-ucfg/yaml" -) - -const license = ` -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License.` - -const typeTmpl = ` -{{.License}} - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -{{if .ImportTime -}} - -import ( - "time" -) - -{{end -}} - -// {{.Description}} -type {{.Name}} struct { -{{- range $field := .Fields}} - // {{$field.Comment}} - {{$field.Name}} {{$field.Type}} \u0060ecs:"{{$field.JSONKey}}"\u0060 -{{ end -}} -} -` - -const versionTmpl = ` -{{.License}} - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Version is the Elastic Common Schema version from which this was generated. -const Version = "{{.Version}}" -` - -var ( - goFileTemplate = template.Must(template.New("type").Parse( - strings.Replace(typeTmpl[1:], `\u0060`, "`", -1))) - - versionFileTemplate = template.Must(template.New("version").Parse( - versionTmpl[1:])) -) - -type GoType struct { - License string - Description string - Name string - Fields []Field - ImportTime bool -} - -type Field struct { - Comment string - Name string - Type string - JSONKey string -} - -// Flags -var ( - schemaDir string - outputDir string - version string -) - -func init() { - flag.StringVar(&schemaDir, "schema", "schemas/", "Schema directory containing .yml files.") - flag.StringVar(&outputDir, "out", "code/go/ecs", "Output directory for .go files.") - flag.StringVar(&version, "version", "", "ECS Version (required)") -} - -func main() { - log.SetFlags(0) - flag.Parse() - - if version == "" { - log.Fatalf("Error: -version is required") - } - - paths, err := filepath.Glob(filepath.Join(schemaDir, "*.yml")) - if err != nil { - log.Fatalf("Error: %v", err) - } - - // Load schema files. - fields := common.Fields{} - for _, path := range paths { - f := common.Fields{} - - cfg, err := yaml.NewConfigWithFile(path) - if err != nil { - log.Fatalf("Error: %v", err) - } - if err = cfg.Unpack(&f); err != nil { - log.Fatalf("Error: %v", err) - } - - for key := range f { - // The definitions don't have the type group in and the template - // generator assumes otherwise keyword as default. - f[key].Type = "group" - } - - fields = append(fields, f...) - } - - // Generate Go source code. - goFiles := map[string][]byte{} - for _, group := range fields { - if group.Type == "group" { - t := GoType{ - License: license[1:], - Description: descriptionToComment("", group.Description), - Name: goTypeName(group.Name), - } - - for _, field := range group.Fields { - dataType := goDataType(field.Name, field.Type) - if strings.HasPrefix(dataType, "time.") { - t.ImportTime = true - } - - t.Fields = append(t.Fields, Field{ - Comment: descriptionToComment("\t", field.Description), - Name: goTypeName(field.Name), - Type: dataType, - JSONKey: field.Name, - }) - } - - b := new(bytes.Buffer) - err := goFileTemplate.Execute(b, t) - if err != nil { - log.Fatal(err) - } - - goFiles[group.Name+".go"] = b.Bytes() - } - } - - // Create version.go containing a the version as a constant. - b := new(bytes.Buffer) - err = versionFileTemplate.Execute(b, map[string]interface{}{ - "License": license[1:], - "Version": version, - }) - if err != nil { - log.Fatal(err) - } - goFiles["version.go"] = b.Bytes() - - // Output the files if there were no errors. - for name, data := range goFiles { - if err := os.MkdirAll(outputDir, 0755); err != nil { - log.Fatalf("Error: %v", err) - } - if err := ioutil.WriteFile(filepath.Join(outputDir, name), data, 0644); err != nil { - log.Fatalf("Error: %v", err) - } - } -} - -// isSeparate returns true if the character is a field name separator. This is -// used to detect the separators in fields like ephemeral_id or instance.name. -func isSeparator(c rune) bool { - switch c { - case '.', '_': - return true - case '@': - // This effectively filters @ from field names. - return true - default: - return false - } -} - -// descriptionToComment builds a comment string that is wrapped at 80 chars. -func descriptionToComment(indent, desc string) string { - textLength := 80 - len(strings.Replace(indent, "\t", " ", 4)+" // ") - lines := strings.Split(wordwrap.WrapString(desc, uint(textLength)), "\n") - if len(lines) > 0 { - // Remove empty first line. - if strings.TrimSpace(lines[0]) == "" { - lines = lines[1:] - } - } - if len(lines) > 0 { - // Remove empty last line. - if strings.TrimSpace(lines[len(lines)-1]) == "" { - lines = lines[:len(lines)-1] - } - } - for i := 0; i < len(lines); i++ { - - } - return trimTrailingWhitespace(strings.Join(lines, "\n"+indent+"// ")) -} - -func trimTrailingWhitespace(text string) string { - var lines [][]byte - s := bufio.NewScanner(bytes.NewBufferString(text)) - for s.Scan() { - lines = append(lines, bytes.TrimRightFunc(s.Bytes(), unicode.IsSpace)) - } - if err := s.Err(); err != nil { - log.Fatal(err) - } - return string(bytes.Join(lines, []byte("\n"))) -} - -// goDataType returns the Go type to use for Elasticsearch mapping data type. -func goDataType(fieldName, elasticsearchDataType string) string { - // Special cases. - switch { - case fieldName == "duration" && elasticsearchDataType == "long": - return "time.Duration" - case fieldName == "args" && elasticsearchDataType == "keyword": - return "[]string" - } - - switch elasticsearchDataType { - case "keyword", "text", "ip", "geo_point": - return "string" - case "long": - return "int64" - case "integer": - return "int32" - case "float": - return "float64" - case "date": - return "time.Time" - case "boolean": - return "bool" - case "object": - return "map[string]interface{}" - default: - log.Fatalf("no translation for %v (field %s)", elasticsearchDataType, fieldName) - return "" - } -} - -// abbreviations capitalizes common abbreviations. -func abbreviations(abv string) string { - switch strings.ToLower(abv) { - case "id", "ppid", "pid", "pgid", "mac", "ip", "iana", "uid", "ecs", "as": - return strings.ToUpper(abv) - default: - return abv - } -} - -// goTypeName removes special characters ('_', '.', '@') and returns a -// camel-cased name. -func goTypeName(name string) string { - var b strings.Builder - for _, w := range strings.FieldsFunc(name, isSeparator) { - b.WriteString(strings.Title(abbreviations(w))) - } - return b.String() -} From 954d4a671d441591b43a6e28acc711346867697d Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Mon, 25 Nov 2019 11:23:45 -0500 Subject: [PATCH 2/2] Changelog --- CHANGELOG.next.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 7f249b49cc..41ccd92e68 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -37,6 +37,8 @@ Thanks, you're awesome :-) --> #### Breaking changes +* Removed the Go library from this repository. #628 + #### Bugfixes #### Added