From b5d967fa765c72dac306ef548d154b0fe0900b70 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Sat, 24 Aug 2019 08:00:41 -0400 Subject: [PATCH] Update fields.yml for ECS v1.1.0 (#13321) This updates the fields.ecs.yml file and the vendored Go code to be based on ECS v1.1.0. Relates #13320 --- CHANGELOG.next.asciidoc | 1 + NOTICE.txt | 4 +- auditbeat/docs/fields.asciidoc | 804 +++++++++++++++- auditbeat/include/fields.go | 2 +- .../module/file_integrity/_meta/fields.yml | 4 + auditbeat/module/file_integrity/fields.go | 2 +- filebeat/_meta/fields.common.yml | 31 - filebeat/docs/fields.asciidoc | 859 ++++++++++++++++-- filebeat/include/fields.go | 2 +- filebeat/module/santa/_meta/fields.yml | 5 - filebeat/module/santa/fields.go | 2 +- heartbeat/docs/fields.asciidoc | 814 ++++++++++++++++- heartbeat/include/fields.go | 2 +- journalbeat/docs/fields.asciidoc | 814 ++++++++++++++++- journalbeat/include/fields.go | 2 +- libbeat/_meta/fields.ecs.yml | 560 +++++++++++- metricbeat/_meta/fields.common.yml | 5 - metricbeat/docs/fields.asciidoc | 798 +++++++++++++++- metricbeat/include/fields/fields.go | 2 +- packetbeat/docs/fields.asciidoc | 814 ++++++++++++++++- packetbeat/include/fields.go | 2 +- .../github.com/elastic/ecs/code/go/ecs/as.go | 33 + .../elastic/ecs/code/go/ecs/client.go | 10 + .../elastic/ecs/code/go/ecs/destination.go | 9 + .../github.com/elastic/ecs/code/go/ecs/dns.go | 114 +++ .../elastic/ecs/code/go/ecs/event.go | 31 +- .../elastic/ecs/code/go/ecs/file.go | 27 +- .../elastic/ecs/code/go/ecs/hash.go | 38 + .../elastic/ecs/code/go/ecs/host.go | 3 + .../github.com/elastic/ecs/code/go/ecs/log.go | 4 + .../elastic/ecs/code/go/ecs/process.go | 9 + .../elastic/ecs/code/go/ecs/server.go | 10 + .../elastic/ecs/code/go/ecs/service.go | 12 +- .../elastic/ecs/code/go/ecs/source.go | 10 + .../elastic/ecs/code/go/ecs/tracing.go | 37 + .../elastic/ecs/code/go/ecs/user.go | 4 + .../elastic/ecs/code/go/ecs/version.go | 2 +- vendor/vendor.json | 10 +- winlogbeat/docs/fields.asciidoc | 812 ++++++++++++++++- winlogbeat/include/fields.go | 2 +- x-pack/functionbeat/docs/fields.asciidoc | 814 ++++++++++++++++- x-pack/functionbeat/include/fields.go | 2 +- 42 files changed, 7140 insertions(+), 382 deletions(-) create mode 100644 vendor/github.com/elastic/ecs/code/go/ecs/as.go create mode 100644 vendor/github.com/elastic/ecs/code/go/ecs/dns.go create mode 100644 vendor/github.com/elastic/ecs/code/go/ecs/hash.go create mode 100644 vendor/github.com/elastic/ecs/code/go/ecs/tracing.go diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index f4f2e40050e..464d9e11af3 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -224,6 +224,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add a check so alias creation explicitely fails if there is an index with the same name. {pull}13070[13070] - Update kubernetes watcher to use official client-go libraries. {pull}13051[13051] - add_host_metadata is no GA. {pull}13148[13148] +- Update ECS version to v1.1.0. {issue}13320[13320] {pull}13321[13321] *Auditbeat* diff --git a/NOTICE.txt b/NOTICE.txt index 655d57a8cc1..f88fc2e0ce1 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -700,8 +700,8 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------- Dependency: github.com/elastic/ecs -Version: v1.0.1 -Revision: ab5e966864a6e2d4bc9fd6e2343e8d7f05f648fb +Version: v1.1.0 +Revision: cc1d96bf3f70a8e6af1e436a0283ef22b6af3dd2 License type (autodetected): Apache-2.0 ./vendor/github.com/elastic/ecs/LICENSE.txt: -------------------------------------------------------------------- diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index 24db8875c9c..b9ab11fbf6d 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -3061,6 +3061,34 @@ example: 6.0.0-rc2 -- +[float] +=== as + +An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. + + +*`as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + [float] === client @@ -3079,6 +3107,28 @@ type: keyword -- +*`client.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`client.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`client.bytes`*:: + -- @@ -3210,6 +3260,28 @@ type: keyword -- +*`client.nat.ip`*:: ++ +-- +Translated IP of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`client.nat.port`*:: ++ +-- +Translated port of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`client.packets`*:: + -- @@ -3232,6 +3304,16 @@ format: string -- +*`client.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`client.user.email`*:: + -- @@ -3462,6 +3544,28 @@ type: keyword -- +*`destination.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`destination.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`destination.bytes`*:: + -- @@ -3593,6 +3697,28 @@ type: keyword -- +*`destination.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`destination.nat.port`*:: ++ +-- +Port the source session is translated to by NAT Device. +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`destination.packets`*:: + -- @@ -3615,6 +3741,16 @@ format: string -- +*`destination.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`destination.user.email`*:: + -- @@ -3683,6 +3819,198 @@ example: albert -- +[float] +=== dns + +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). + + +*`dns.answers`*:: ++ +-- +An array containing an object for each answer section returned by the server. +The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. +Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + +type: object + +-- + +*`dns.answers.class`*:: ++ +-- +The class of DNS data contained in this resource record. + +type: keyword + +example: IN + +-- + +*`dns.answers.data`*:: ++ +-- +The data describing the resource. +The meaning of this data depends on the type and class of the resource record. + +type: keyword + +example: 10.10.10.10 + +-- + +*`dns.answers.name`*:: ++ +-- +The domain name to which this resource record pertains. +If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + +type: keyword + +example: www.google.com + +-- + +*`dns.answers.ttl`*:: ++ +-- +The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + +type: long + +example: 180 + +-- + +*`dns.answers.type`*:: ++ +-- +The type of data contained in this resource record. + +type: keyword + +example: CNAME + +-- + +*`dns.header_flags`*:: ++ +-- +Array of 2 letter DNS header flags. +Expected values are: AA, TC, RD, RA, AD, CD, DO. + +type: keyword + +example: ['RD', 'RA'] + +-- + +*`dns.id`*:: ++ +-- +The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + +type: keyword + +example: 62111 + +-- + +*`dns.op_code`*:: ++ +-- +The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + +type: keyword + +example: QUERY + +-- + +*`dns.question.class`*:: ++ +-- +The class of of records being queried. + +type: keyword + +example: IN + +-- + +*`dns.question.name`*:: ++ +-- +The name being queried. +If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + +type: keyword + +example: www.google.com + +-- + +*`dns.question.registered_domain`*:: ++ +-- +The highest registered domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`dns.question.type`*:: ++ +-- +The type of record being queried. + +type: keyword + +example: AAAA + +-- + +*`dns.resolved_ip`*:: ++ +-- +Array containing all IPs seen in `answers.data`. +The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + +type: ip + +example: ['10.10.10.10', '10.10.10.11'] + +-- + +*`dns.response_code`*:: ++ +-- +The DNS response code. + +type: keyword + +example: NOERROR + +-- + +*`dns.type`*:: ++ +-- +The type of DNS event captured, query or answer. +If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. +If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + +type: keyword + +example: answer + +-- + [float] === ecs @@ -3768,6 +4096,18 @@ example: user-management -- +*`event.code`*:: ++ +-- +Identification code for this event, if one exists. +Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + +type: keyword + +example: 4648 + +-- + *`event.created`*:: + -- @@ -3784,11 +4124,12 @@ type: date + -- Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. +It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword -example: stats +example: apache.access -- @@ -3851,11 +4192,11 @@ example: state + -- Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. +If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. type: keyword -example: mysql +example: apache -- @@ -3883,6 +4224,18 @@ example: success -- +*`event.provider`*:: ++ +-- +Source of the event. +Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + +type: keyword + +example: kernel + +-- + *`event.risk_score`*:: + -- @@ -3902,6 +4255,18 @@ type: float -- +*`event.sequence`*:: ++ +-- +Sequence number of the event. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. + +type: long + +format: string + +-- + *`event.severity`*:: + -- @@ -3951,49 +4316,122 @@ A file is defined as a set of information that has been created on, or has exist File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. -*`file.ctime`*:: +*`file.accessed`*:: ++ +-- +Last time the file was accessed. +Note that not all filesystems keep track of access time. + +type: date + +-- + +*`file.created`*:: ++ +-- +File creation time. +Note that not all filesystems store the creation time. + +type: date + +-- + +*`file.ctime`*:: ++ +-- +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + +type: date + +-- + +*`file.device`*:: ++ +-- +Device that is the source of the file. + +type: keyword + +example: sda + +-- + +*`file.directory`*:: ++ +-- +Directory where the file is located. + +type: keyword + +example: /home/alice + +-- + +*`file.extension`*:: ++ +-- +File extension. + +type: keyword + +example: png + +-- + +*`file.gid`*:: ++ +-- +Primary group ID (GID) of the file. + +type: keyword + +example: 1001 + +-- + +*`file.group`*:: + -- -Last time file metadata changed. +Primary group name of the file. -type: date +type: keyword + +example: alice -- -*`file.device`*:: +*`file.hash.md5`*:: + -- -Device that is the source of the file. +MD5 hash. type: keyword -- -*`file.extension`*:: +*`file.hash.sha1`*:: + -- -File extension. -This should allow easy filtering by file extensions. +SHA1 hash. type: keyword -example: png - -- -*`file.gid`*:: +*`file.hash.sha256`*:: + -- -Primary group ID (GID) of the file. +SHA256 hash. type: keyword -- -*`file.group`*:: +*`file.hash.sha512`*:: + -- -Primary group name of the file. +SHA512 hash. type: keyword @@ -4006,6 +4444,8 @@ Inode representing the file in the filesystem. type: keyword +example: 256383 + -- *`file.mode`*:: @@ -4015,19 +4455,30 @@ Mode of the file in octal representation. type: keyword -example: 416 +example: 0640 -- *`file.mtime`*:: + -- -Last time file content was modified. +Last time the file content was modified. type: date -- +*`file.name`*:: ++ +-- +Name of the file including the extension, without the directory. + +type: keyword + +example: example.png + +-- + *`file.owner`*:: + -- @@ -4035,24 +4486,31 @@ File owner's username. type: keyword +example: alice + -- *`file.path`*:: + -- -Path to the file. +Full path to the file. type: keyword +example: /home/alice/example.png + -- *`file.size`*:: + -- -File size in bytes (field is only added when `type` is `file`). +File size in bytes. +Only relevant when `file.type` is "file". type: long +example: 16384 + -- *`file.target_path`*:: @@ -4071,6 +4529,8 @@ File type (file, dir, or symlink). type: keyword +example: file + -- *`file.uid`*:: @@ -4080,6 +4540,8 @@ The user ID (UID) or security identifier (SID) of the file owner. type: keyword +example: 1001 + -- [float] @@ -4203,6 +4665,49 @@ type: keyword -- +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + [float] === host @@ -4436,6 +4941,27 @@ type: keyword -- +*`host.uptime`*:: ++ +-- +Seconds the host has been up. + +type: long + +example: 1325 + +-- + +*`host.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`host.user.email`*:: + -- @@ -4649,6 +5175,17 @@ example: err -- +*`log.logger`*:: ++ +-- +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + +type: keyword + +example: org.elasticsearch.bootstrap.Bootstrap + +-- + *`log.original`*:: + -- @@ -5164,6 +5701,42 @@ example: /usr/bin/ssh -- +*`process.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.name`*:: + -- @@ -5176,6 +5749,17 @@ example: ssh -- +*`process.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + *`process.pid`*:: + -- @@ -5226,6 +5810,17 @@ format: string -- +*`process.thread.name`*:: ++ +-- +Thread name. + +type: keyword + +example: thread-0 + +-- + *`process.title`*:: + -- @@ -5236,6 +5831,17 @@ type: keyword -- +*`process.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + *`process.working_directory`*:: + -- @@ -5282,6 +5888,28 @@ type: keyword -- +*`server.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`server.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`server.bytes`*:: + -- @@ -5413,6 +6041,28 @@ type: keyword -- +*`server.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`server.nat.port`*:: ++ +-- +Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`server.packets`*:: + -- @@ -5435,6 +6085,16 @@ format: string -- +*`server.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`server.user.email`*:: + -- @@ -5525,9 +6185,9 @@ example: 8a4f500f *`service.id`*:: + -- -Unique identifier of the running service. -This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. -Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance. +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. type: keyword @@ -5600,6 +6260,28 @@ type: keyword -- +*`source.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`source.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`source.bytes`*:: + -- @@ -5731,6 +6413,28 @@ type: keyword -- +*`source.nat.ip`*:: ++ +-- +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`source.nat.port`*:: ++ +-- +Translated port of source based NAT sessions. (e.g. internal client to internet) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`source.packets`*:: + -- @@ -5753,6 +6457,16 @@ format: string -- +*`source.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`source.user.email`*:: + -- @@ -5821,6 +6535,36 @@ example: albert -- +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + [float] === url @@ -5942,6 +6686,16 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +*`user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`user.email`*:: + -- diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go index 191badf19de..c9a6b845a6b 100644 --- a/auditbeat/include/fields.go +++ b/auditbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/auditbeat/module/file_integrity/_meta/fields.yml b/auditbeat/module/file_integrity/_meta/fields.yml index d1eb262b1f9..c34aaaf1d43 100644 --- a/auditbeat/module/file_integrity/_meta/fields.yml +++ b/auditbeat/module/file_integrity/_meta/fields.yml @@ -22,10 +22,12 @@ description: BLAKE2b-512 hash of the file. - name: md5 + overwrite: true type: keyword description: MD5 hash of the file. - name: sha1 + overwrite: true type: keyword description: SHA1 hash of the file. @@ -34,6 +36,7 @@ description: SHA224 hash of the file. - name: sha256 + overwrite: true type: keyword description: SHA256 hash of the file. @@ -58,6 +61,7 @@ description: SHA3_512 hash of the file. - name: sha512 + overwrite: true type: keyword description: SHA512 hash of the file. diff --git a/auditbeat/module/file_integrity/fields.go b/auditbeat/module/file_integrity/fields.go index 25e04e2d53a..84341850eb5 100644 --- a/auditbeat/module/file_integrity/fields.go +++ b/auditbeat/module/file_integrity/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFileIntegrity returns asset data. // This is the base64 encoded gzipped contents of module/file_integrity. func AssetFileIntegrity() string { - return "eJyUkkFvozAUhO/8ivkDyQonoIjDSqy2FVXbU3rIDZn4BVsxEGGnDf++wqJNIkXCPvI0fJ438xY40pDhoDSVqrVU98oOEWCV1ZThWWnCy81ckNn36mRV12b4kGQIvCdYSTgo0sKgppZ6bkmgGqb5LRtNJ86alhGmH7IIWKDlDWWQ3MgIAOxwogx1351P7vvu2b9uBBTcSDLoDr/PLEdL40bGueK67nplZePwBrwVTvrJ9ZmcZCKNQ0kXULvvBAkIVZOxk24ZOdXV7dVvpfmRWFWyJP0hOeNHGr66XkyzO/P/3vLXJ1YtWJK6de/sRw/pq806lL7arH3pScxC6UnM5uiNSHyp7/+TOZqRPPbFbYs89uAx5h3qtsgZm81zZPqfwcicvwAjeUD52yL36H1klmHbO70fNygBp/fiBqZQ+uYQcPyO63H5RvIwqjczsLUkZn/8enPsoOYce767y0Wm3pZ3u/SR2e8AAAD//7nP8bw=" + return "eJykk81u6jAQhfd5inkBuIohEcriSqnaKlXbFV2wQw4eYgsnRrYD5O2ruCk/ElJsusxo8p3jmTMT2GGXwVZIXIvGYqWF7SIAK6zEDF6FRHi7qjM0Gy32Vqgmgy+OBoFqBMsRtgIlM1Bhg5paZFB2Q/2aDbVircRpBMMPWQQwgYbWmAGnhkcAALbbYwaVVu3efd/I/nclgIIajgbU9iwz7S31LzLOFZWV0sLy2uEN0Ia51gOVLbqWgdQXOZ4Am41iyICJCo0d+qaR67q4vfgtJd0hKdckSX9JzvgOu6PSbKjdmH/6yN9fSDkhSeqee2M/ukufLeah9Nli7ktPYhJKT2IyRq9ZMhDUAfVRC4sZWN2ir9bnczKmYTiN/yayLPLYQ4UQ7wUsi5yQ0dn3zHNkHvfukSHDaUB8lkXukZyeuQ6biev34/qf0g/XbwYhR+S4vnMIOB/H9bgdw+mF+ng6vJUCd5nE5J/fNh07aJ+OPb7R04mn3pZXq/Se2e8AAAD//yR/DPc=" } diff --git a/filebeat/_meta/fields.common.yml b/filebeat/_meta/fields.common.yml index da88144ca30..744fa3b9475 100644 --- a/filebeat/_meta/fields.common.yml +++ b/filebeat/_meta/fields.common.yml @@ -35,12 +35,6 @@ The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file. - - name: event.sequence - type: long - required: false - description: > - The sequence number of this event. - - name: syslog.facility type: long required: false @@ -111,11 +105,6 @@ docker.attrs contains labels and environment variables written by docker's JSON File logging driver. These fields are only available when they are configured in the logging driver options. - - name: event.code - type: keyword - description: > - The code for the log message. - - name: icmp.code type: keyword description: > @@ -131,26 +120,6 @@ description: > IGMP type. - - name: source.as.number - type: long - description: > - Autonomous system number. - - - name: destination.as.number - type: long - description: > - Autonomous system number. - - - name: source.as.organization.name - type: keyword - description: > - Name of organization associated with the autonomous system. - - - name: destination.as.organization.name - type: keyword - description: > - Name of organization associated with the autonomous system. - - name: kafka type: group fields: diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 98f2e45a0d4..2740d86e0e9 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -1899,6 +1899,34 @@ example: 6.0.0-rc2 -- +[float] +=== as + +An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. + + +*`as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + [float] === client @@ -1917,6 +1945,28 @@ type: keyword -- +*`client.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`client.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`client.bytes`*:: + -- @@ -2048,6 +2098,28 @@ type: keyword -- +*`client.nat.ip`*:: ++ +-- +Translated IP of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`client.nat.port`*:: ++ +-- +Translated port of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`client.packets`*:: + -- @@ -2070,6 +2142,16 @@ format: string -- +*`client.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`client.user.email`*:: + -- @@ -2300,6 +2382,28 @@ type: keyword -- +*`destination.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`destination.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`destination.bytes`*:: + -- @@ -2431,6 +2535,28 @@ type: keyword -- +*`destination.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`destination.nat.port`*:: ++ +-- +Port the source session is translated to by NAT Device. +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`destination.packets`*:: + -- @@ -2453,6 +2579,16 @@ format: string -- +*`destination.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`destination.user.email`*:: + -- @@ -2521,6 +2657,198 @@ example: albert -- +[float] +=== dns + +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). + + +*`dns.answers`*:: ++ +-- +An array containing an object for each answer section returned by the server. +The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. +Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + +type: object + +-- + +*`dns.answers.class`*:: ++ +-- +The class of DNS data contained in this resource record. + +type: keyword + +example: IN + +-- + +*`dns.answers.data`*:: ++ +-- +The data describing the resource. +The meaning of this data depends on the type and class of the resource record. + +type: keyword + +example: 10.10.10.10 + +-- + +*`dns.answers.name`*:: ++ +-- +The domain name to which this resource record pertains. +If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + +type: keyword + +example: www.google.com + +-- + +*`dns.answers.ttl`*:: ++ +-- +The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + +type: long + +example: 180 + +-- + +*`dns.answers.type`*:: ++ +-- +The type of data contained in this resource record. + +type: keyword + +example: CNAME + +-- + +*`dns.header_flags`*:: ++ +-- +Array of 2 letter DNS header flags. +Expected values are: AA, TC, RD, RA, AD, CD, DO. + +type: keyword + +example: ['RD', 'RA'] + +-- + +*`dns.id`*:: ++ +-- +The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + +type: keyword + +example: 62111 + +-- + +*`dns.op_code`*:: ++ +-- +The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + +type: keyword + +example: QUERY + +-- + +*`dns.question.class`*:: ++ +-- +The class of of records being queried. + +type: keyword + +example: IN + +-- + +*`dns.question.name`*:: ++ +-- +The name being queried. +If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + +type: keyword + +example: www.google.com + +-- + +*`dns.question.registered_domain`*:: ++ +-- +The highest registered domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`dns.question.type`*:: ++ +-- +The type of record being queried. + +type: keyword + +example: AAAA + +-- + +*`dns.resolved_ip`*:: ++ +-- +Array containing all IPs seen in `answers.data`. +The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + +type: ip + +example: ['10.10.10.10', '10.10.10.11'] + +-- + +*`dns.response_code`*:: ++ +-- +The DNS response code. + +type: keyword + +example: NOERROR + +-- + +*`dns.type`*:: ++ +-- +The type of DNS event captured, query or answer. +If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. +If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + +type: keyword + +example: answer + +-- + [float] === ecs @@ -2606,6 +2934,18 @@ example: user-management -- +*`event.code`*:: ++ +-- +Identification code for this event, if one exists. +Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + +type: keyword + +example: 4648 + +-- + *`event.created`*:: + -- @@ -2622,11 +2962,12 @@ type: date + -- Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. +It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword -example: stats +example: apache.access -- @@ -2689,11 +3030,11 @@ example: state + -- Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. +If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. type: keyword -example: mysql +example: apache -- @@ -2721,6 +3062,18 @@ example: success -- +*`event.provider`*:: ++ +-- +Source of the event. +Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + +type: keyword + +example: kernel + +-- + *`event.risk_score`*:: + -- @@ -2740,6 +3093,18 @@ type: float -- +*`event.sequence`*:: ++ +-- +Sequence number of the event. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. + +type: long + +format: string + +-- + *`event.severity`*:: + -- @@ -2789,10 +3154,31 @@ A file is defined as a set of information that has been created on, or has exist File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +*`file.accessed`*:: ++ +-- +Last time the file was accessed. +Note that not all filesystems keep track of access time. + +type: date + +-- + +*`file.created`*:: ++ +-- +File creation time. +Note that not all filesystems store the creation time. + +type: date + +-- + *`file.ctime`*:: + -- -Last time file metadata changed. +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. type: date @@ -2805,13 +3191,25 @@ Device that is the source of the file. type: keyword +example: sda + +-- + +*`file.directory`*:: ++ +-- +Directory where the file is located. + +type: keyword + +example: /home/alice + -- *`file.extension`*:: + -- File extension. -This should allow easy filtering by file extensions. type: keyword @@ -2826,6 +3224,8 @@ Primary group ID (GID) of the file. type: keyword +example: 1001 + -- *`file.group`*:: @@ -2835,6 +3235,44 @@ Primary group name of the file. type: keyword +example: alice + +-- + +*`file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + -- *`file.inode`*:: @@ -2844,6 +3282,8 @@ Inode representing the file in the filesystem. type: keyword +example: 256383 + -- *`file.mode`*:: @@ -2853,19 +3293,30 @@ Mode of the file in octal representation. type: keyword -example: 416 +example: 0640 -- *`file.mtime`*:: + -- -Last time file content was modified. +Last time the file content was modified. type: date -- +*`file.name`*:: ++ +-- +Name of the file including the extension, without the directory. + +type: keyword + +example: example.png + +-- + *`file.owner`*:: + -- @@ -2873,24 +3324,31 @@ File owner's username. type: keyword +example: alice + -- *`file.path`*:: + -- -Path to the file. +Full path to the file. type: keyword +example: /home/alice/example.png + -- *`file.size`*:: + -- -File size in bytes (field is only added when `type` is `file`). +File size in bytes. +Only relevant when `file.type` is "file". type: long +example: 16384 + -- *`file.target_path`*:: @@ -2909,6 +3367,8 @@ File type (file, dir, or symlink). type: keyword +example: file + -- *`file.uid`*:: @@ -2918,6 +3378,8 @@ The user ID (UID) or security identifier (SID) of the file owner. type: keyword +example: 1001 + -- [float] @@ -3023,19 +3485,62 @@ example: Quebec The group fields are meant to represent groups that are relevant to the event. -*`group.id`*:: +*`group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: + -- -Unique identifier for the group on the system/platform. +SHA256 hash. type: keyword -- -*`group.name`*:: +*`hash.sha512`*:: + -- -Name of the group. +SHA512 hash. type: keyword @@ -3274,6 +3779,27 @@ type: keyword -- +*`host.uptime`*:: ++ +-- +Seconds the host has been up. + +type: long + +example: 1325 + +-- + +*`host.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`host.user.email`*:: + -- @@ -3487,6 +4013,17 @@ example: err -- +*`log.logger`*:: ++ +-- +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + +type: keyword + +example: org.elasticsearch.bootstrap.Bootstrap + +-- + *`log.original`*:: + -- @@ -4002,6 +4539,42 @@ example: /usr/bin/ssh -- +*`process.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.name`*:: + -- @@ -4014,6 +4587,17 @@ example: ssh -- +*`process.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + *`process.pid`*:: + -- @@ -4064,6 +4648,17 @@ format: string -- +*`process.thread.name`*:: ++ +-- +Thread name. + +type: keyword + +example: thread-0 + +-- + *`process.title`*:: + -- @@ -4074,6 +4669,17 @@ type: keyword -- +*`process.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + *`process.working_directory`*:: + -- @@ -4120,6 +4726,28 @@ type: keyword -- +*`server.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`server.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`server.bytes`*:: + -- @@ -4251,6 +4879,28 @@ type: keyword -- +*`server.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`server.nat.port`*:: ++ +-- +Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`server.packets`*:: + -- @@ -4273,6 +4923,16 @@ format: string -- +*`server.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`server.user.email`*:: + -- @@ -4363,9 +5023,9 @@ example: 8a4f500f *`service.id`*:: + -- -Unique identifier of the running service. -This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. -Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance. +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. type: keyword @@ -4438,6 +5098,28 @@ type: keyword -- +*`source.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`source.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`source.bytes`*:: + -- @@ -4569,6 +5251,28 @@ type: keyword -- +*`source.nat.ip`*:: ++ +-- +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`source.nat.port`*:: ++ +-- +Translated port of source based NAT sessions. (e.g. internal client to internet) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`source.packets`*:: + -- @@ -4591,6 +5295,16 @@ format: string -- +*`source.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`source.user.email`*:: + -- @@ -4659,6 +5373,36 @@ example: albert -- +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + [float] === url @@ -4780,6 +5524,16 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +*`user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`user.email`*:: + -- @@ -7864,18 +8618,6 @@ required: True -- -*`event.sequence`*:: -+ --- -The sequence number of this event. - - -type: long - -required: False - --- - *`syslog.facility`*:: + -- @@ -8000,16 +8742,6 @@ type: object -- -*`event.code`*:: -+ --- -The code for the log message. - - -type: keyword - --- - *`icmp.code`*:: + -- @@ -8036,46 +8768,6 @@ type: keyword IGMP type. -type: keyword - --- - -*`source.as.number`*:: -+ --- -Autonomous system number. - - -type: long - --- - -*`destination.as.number`*:: -+ --- -Autonomous system number. - - -type: long - --- - -*`source.as.organization.name`*:: -+ --- -Name of organization associated with the autonomous system. - - -type: keyword - --- - -*`destination.as.organization.name`*:: -+ --- -Name of organization associated with the autonomous system. - - type: keyword -- @@ -13328,15 +14020,6 @@ type: keyword -- -*`hash.sha256`*:: -+ --- -Hash of process executable. - -type: keyword - --- - [[exported-fields-suricata]] == Suricata fields diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go index 2804cc99ba6..516f2eda67b 100644 --- a/filebeat/include/fields.go +++ b/filebeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzsvXlzGzmSOPp/fwo8dcSTPUtRh+WjtTuzTyO7u7XjQ2vJ2zu7vSGCVSCJVhVQDaBIs1/8vvsvkImrDlKULXrsWPVEjEWyCkgkEpmJPL8nv5y+f3v+9qf/h7yUREhDWM4NMTOuyYQXjORcscwUywHhhiyoJlMmmKKG5WS8JGbGyKuzS1Ip+RvLzOC778mYapYTKeD7OVOaS0EOhwfDw+F335OLglHNyJxrbsjMmEqf7O9PuZnV42Emy31WUG14ts8yTYwkup5OmTYkm1ExZfCVHXbCWZHr4Xff7ZEbtjwhLNPfEWK4KdiJfeA7QnKmM8Urw6WAr8iP7h3i3j75jpA9ImjJTsju/2d4ybShZbX7HSGEFGzOihOSScXgs2K/11yx/IQYVeNXZlmxE5JTgx8b8+2+pIbt2zHJYsYEoInNmTBEKj7lwqJv+B28R8iVxTXX8FAe3mMfjaKZRfNEyTKOMLAT84wWxZIoVimmmTBcTGEiN2KcrnfDtKxVxsL855PkBfyNzKgmQnpoCxLQM0DSmNOiZgB0AKaSVV3YadywbrIJV9rA+y2wFMsYn0eoKl6xgosI13uHc9wvMpGK0KLAEfQQ94l9pGVlN3336ODw2d7B072jJ1cHL04Onp48OR6+ePrkv3aTbS7omBW6d4NxN+XYUjF8gX9e4/c3bLmQKu/Z6LNaG1naB/YRJxXlSoc1nFFBxozU9kgYSWiek5IZSriYSFVSO4j93q2JXM5kXeRwDDMpDOWCCKbt1iE4QL72v9OiwD3QhCpGtJEWUVR7SAMArzyCRrnMbpgaESpyMrp5oUcOHS1MuvdoVRU8o7jKiZR7Y6rcT0zMT+yBz+vM/pzgt2Ra0ylbg2DDPpoeLP4oFSnk1OEByMGN5TbfYQN/sk+6nwdEVoaX/I9AdpZM5pwt7JHgglB42n7BVECKnU4bVWemtmgr5FSTBTczWRtCRaT6BgwDIs2MKcc9SIY7m0mRUcNEQvhGWiBKQsmsLqnYU4zmdFwwouuypGpJZHLg0lNY1oXhVRHWrgn7yLU98TO2jBOWYy5YTrgwkkgRnm6fiJ9ZUUjyi1RFnmyRodN1ByAldD4VUrFrOpZzdkIOD46Ouzv3mmtj1+Pe04HSDZ0SRrOZX2XzsP73TqSfnQHZYWJ+tPM/6VGlUyaQUhxXPw1fTJWsqxNy1ENHVzOGb4ZdcqfI8VZK6NhuMnLBiVnYw2P5p7HybeJpXywtzqk9hEVhj92A5MzgH1IROdZMze32ILlKS2YzaXdKKmLoDdOkZFTXipX2ATdseKx9ODXhIivqnJG/MmrZAKxVk5IuCS20JKoW9m03r9JDEGiw0OGf3FLdkHpmeeSYRXYMlG3hp7zQnvYQSaoWwp4TiQiysCXr8+d9MWMqZd4zWlXMUqBdLJzUsFRg7BYBwlHjREojpLF77hd7Qs5xuswqAnKCi4Zzaw/iIMI3tKRAnCIyZtQMk/N7evEGVBInOJsLcjtOq2rfLoVnbEgibaTMN5fMow64LugZhE+QWrgmVrwSM1Oyns7I7zWr7fh6qQ0rNSn4DSN/o5MbOiDvWc6RPiolM6Y1F1O/Ke5xXWczy6Rfy6k2VM8IroNcArodyvAgApEjCoO2Ek8Hq2asZIoW19xzHXee2UfDRB55UedUrzzX7bP0ys9BeG6PyIQzheTDtUPkIz4BDgRsSj8OdO11GivJVAnagVfgaKaktsJfG6rseRrXhoxwu3k+gv2wO+GQkTCNF/R48vTgYNJARHv5gZ191tI/CP67VW/uvu4gbi2JImHDewuQ62NGgIx5vnJ5eWN59v+3sUCntcD5SjlCZwc1ofgUskMUQVM+Z6C2UOFew6fdzzNWVJO6sIfIHmq3wjCwWUjyozvQhAttqMicGtPiR9pODEzJEokTpySKU1ZRRZ0K4paviWAsx/vHYsazWXeqcLIzWdrJrHqdrPt8YhVfz3lgqciS/FdyYpggBZsYwsrKLLtbOZGysYt2o7axi1fLas32eW5nJyDa0KUmtFjYfwJurSqoZ540cVudNo7vWmk+jKgRgWcHrMZnkcTdFGMWHwERxieNjY871iaAxuaXNJvZK0EXxek4Hs/usrkFVP+Hu8Y2kd2C6dnwYHiwp7KjRI3JCt7SY87iN2sUmVP3piW4nE1A4aO4c1xww6mRwJQoEcwspLqxmo5goFDZU+dhQwVFsSlVOQguK5ek0IPkeRRaY443fS6t5jsp5MLe0KxO11Cbr84u3Kh4KiKYHdjsF/bxBDLgIpqJoK7YZy7//pZUNLth5pF+PIRZUNOulDQyk0VnKrzRWrHSmNTrWQqu68xeirwm4LFkFBWaAjBDcilLFmRzrVHHMUyVZMdf06XaiVq9YhOmGqCI1gI1qhnuZ6eD4s6OWdDBQAdNEIAgEAuWmPptjlOk8KM27YjIT2BPTq1rixA3alT+uLDg/VYL3ADQBVG780aUnsEifoU0nSEtU8f92oMz5m+v4c6L4+37eYKVAng1igl7EdaspMLwDJR09tE4icI+oq4wQAb+XeDsXq4YSebcLpf/waJibxfKFCj7mpuauu04n5ClrFWYY0KLwhMfF16sGTaVajmwj3qGqA0vCsKEVW0d3aJpxDLNnGljycOi1CJswosi6Fy0qpSsFKeGFcs7KHU0zxXTelv6HFA7avCOttyEjvcGNlOO+bSWtS6WSM3wTmDYC4sWLUsGJiFS2AsgFeT8YkAoyWVpN0AqQkkt+EeipaWTISF/j5h1IgJsFlErmDGi6MLD5Ol+NHRfjBBlTQkn7AUgCrC8RpsF3kBHQ16NLCijIYI1sre4ioncqRioH0gRgYDrhNsxvyvjpWH6FpFSyKDq482i+VpjH/5qf8BbRTDsuf2w12bLDvA20BYvhy+OG4DhorYg7Nz5xfGHjTmnTA4zbpbXW1JMz7hZwlSd1b+RwihGiy44UhgumDDbgultoiSHyTrwvZXKzMhpyRTPaA+QtTBqec21vM5kvhXU4RTk/PIdsVN0IDw7XQnWtnbTgdS7oWdU0LyLqUJmqUq/Cpwpk9eV5IEvNY1SUky5qXPk1QU18KEDwe7/T3YKKXZOyN7zJ8Nnh8cvnhwMyE5Bzc4JOX46fHrw9IfDF+T/7HaA7OLr/tj0B83UnufFyU+o7Xn0DIjTvVECywmZKirqgipulilTXZLMMndQORLmeeZ5ZrjZIIVzhdI0Y8Iw5RSvSSGlIqIux0wNQJOf8ajW6DAogleQarbU3P7hLWuZP9Y6AeGtNIn3AOyGXBBaG1kCC58y6Vfb1f/HUhsp9vKsszeKTbkU2zxp72GGdQdt79/PVsG1paPmYOo9af9eszFrIopXt8AQHmgS5/lFENCeI4KwSCkLjQBSMCt7g0n7/GJ+bL84v5g/i4pHS9aWNNsCbt6cnq2COp0cVdo7iPrGJBf49icJ9qMmHFKZu+sb2ii+AjKpzLp115qpISspL7bE0ixHIzCB34YeACZ1UfQcjnsFYlcTOw1MC3yMzikv6LjonpnTYsyUIa+40IY5LasBL6jyw61ZX7sWyImztsPEwUgCN8f9qqDGEkIPXhHOLSI2VY9wsi4QM6pnW5OXiCk7D7Hz2MOWSaWYvaw2TP0TvJbYB62gEVIsU8chnqWEk33QzJkxR7AKnuN1Aj7Y1Y2CeymTYoJ7RYvGnFYByaiI12ji3cEt1udm2AL7e9fixHWbtAJXBBi6UG1JZF3OLGNC3QNcP1x0AUmOJIUj2bCtyRqnDKY1/8VqyxpGgRAkj9xzZhiKgLloomhwDUenF16R0WLsOS/YjclKJ9eEvGFG8QyNzzo1blNBXp0doWnbUsiEmWzGNKheyeiEG+38ihFIS11Nd3jDr8l1MJo2QXDjqlo4h6VipTTBxEpkbTTPWTJTGzKEiRLnUfML8psu4qtObWx67nHQOBC4Dt3kXjraYbmOoDqE3cWIksGlZnucefcqIgjnApepmlLB/8BDz/PgBnenbElyPpkwlRpSQDnm4PwlFI/nnmGCCkOYmHMlRdnUrCJtnf5yGSbn+YD8JOW0YEj/5N37n8h5jo5qMKN2DnxXnX727Nnz589fvHjxww8/NNGJEpIX9tL/R7SV3DdWT5N5iJ3HYgUNNEDTcFTiIeowh1rvMarN3mFLz3Xehe2Rw7n3Kp2/9NwLYPWHsA0o3zs8enL89NnzFz8c0HGWs8lBP8RbFNkB5tT/14U60crhy64b694geuP5QOLRWotGczQsWc7rsqk6KznneQhc2KaqgxzATzj0hzMNyqILPSD0j1qxAZlm1SAcZKlIzqfc0EJmjIqupFvoxrLw6rilRbmb4ycet1QcI6N32PciufHlGodXeLDp1HDuhk7MXBLGU7GMT7i/OAYo0Gbv/FLOdC8n6SBJACbTzM87Y0WVKJAgrzCkNQytnSQUS4sgw0t2BwG1FR3PKcFx8TxvnmFe0ulWeUp6NmCyYC9FgBZUk3HNC2PFeQ9ohk63BFmkLAcXnTYBSKJC18+eRIeuiQ9tM1uY1IVaNubd4m7ENUeLUOAmSLLbYic4OimpoFOrvQE/CXTQ4SQYlZqwkcS1ljKSl62v17CS5NH1LljUnpOnwcSKdqD9ZnRmz5iJ1/U2fytyH+dv/Rodgg1/5kZewajGYkD3PXkFw7DgHfzf7RVMN8VbEF3kfusQfTHXYHoMHvyDD/7B+wHpwT+4Oc4e/IMP/sFvyT+YCLFvzUnYAJ1s2VN4B2H/5dyFKzHw4DN88Bk++AzJg8/wW/MZYqJ4K1V8nTXhDTN0L90db290qeg45Sa3+duyE3pSzD8vfytJvweFzMX+SliMJkYOyYhleugeGmG2jwcjUji48SxRlrU2mPMEh6HoRH4T8ou9fv9eM7WEUHZM9gpkxEXOM6bJ3p67Zpd06QGCbP+CT2em6POWJauB912BAgtaYaUpF4ZNlYswp/lvFlQvR7MZK2kL/6SRhau7GuTh8GB4kFKOUrJh2n4VvlifkBpNyxlkL7lgeBwQzhEVS3LDRTRjfMBchBLzp/A5MGdj6qVFXsHQN2vR7NNQgUdlVDMdczb9smDvudGsmESXLBU4+h1sUlvSmQGZMLi/N6DtkDkAm9rpFk3oPdKzB4I00X01GCHZvXexPm07pbF5K1no1XzDpGfc3z7XiU986PeeFNIrgehlUTxr0EogyVPIo29mI1ny8TzFEpTdsiTPGMyBM9xHGtOGPZN+HfP9gbH4HGhIwuElszdY75Ky39qBwhgxdVpOkkW48fxQ1KfiEsg29dEXLqYi5k6hQk/GDFOknF7uxqTefmskoalKPECLZk8C1piZBWN2Jp9pIXIXOBGckziZy13CZOqskFbIk1O/E7ejG29QbshSKmav4WBjKmBEzGyBj2lGOgDUj+jkMTdszOluYD2llojykpVSLYllcpA544bLE8RHgpvXhWAK3f48Js27h7VVgliOKfN3iQDZwD70yZEfODrJaIW1I1y6ZNNb4LJngwXEpanFA8iTkjBDcg5+Sti9qF3MqCAjfMDnJ41iKmbYCHvWR4CQPZrnowEZOZLfA5Jn8NWEF2wvU8wS2giTenwBlzBiyNT2FOdWxu08JZh7ukLSKl17FdXaInMP87aa4sKBvo3teIWHwc3QRn4QcjM+nblEtX4eCBwSBOiksythTNgdyItrbQ4SxGjg91QzoV3CWLRe0QBmgCuO7LUj6lMIf6HKHm4olDCpIRAtqD5yYlWhAVkwUhUUbAUuCIHQMGThqnLQLGOVgWRpF5eAMs2rTgNSYTmmWjN0VWW07jeowU6DUy+yhrDJSFm37HGolNTeR0fkOEgntK2/jJLlSVBZKKxZMQo063PSMal1idl/ndpCjkhQgbRHlVu2njmDTKwGFXIEk6/itjpYw5iBo/YUbwpFZdqs4lyQUmqTZC2CVdUS0ULGwksafWxj1qMl45H2H7Pousqa5YcyWmTgp3TWnYIug6wCPDlJ5ypGgQrvhE6MXmmIDtgWeNWXXVHaeKnLcsJbtQE8JKUUPGbskmSI3V3QZP2O2Y8+LsxIcsNYReoKiRVeSstWNbEKueoAaROPlmWimpfRYpDubHQa9ty2c2qoZrfZ2j6Jk6X2EDdNK5U/k8IeZTTyj9wzI/LIcnbNDNl34lgz89jSszeXYwkKqzwQXY8j+HD9KWVeF0wDq2scu5RPomZgd7BWltaKpa82xUWcNL3wI4nEn3Aau6kOWni4y2K0oaYZ+JTXahNnT499s/UmF1Vtrv2PggqpWSZjGrqsTfoA1W94UfDeZyrFMq5h3w57N/Olm7ohTiyykmmb9SaQI4C8BtThZ2Z1RsXIjZALkVZdi1Rq+k+9P9Iwu8C7O46exCqFO4fYxB65inlHUDt8u82yYVBLBeF7K/DmqT/KcvWCWtmFFYhaQUxbNAn+TPWMPKqYmtFKQx0iqM8z4WLKVKW4MI/tfiq6cDLDSLsBIFqNDAvIWSmFNsouH+5LYJXgZtljxfdRoH1/nf717OUXu/Kev7SrCSEyiTrbgrm3RM0N34iAPlnhtuP3V0xzMnzK5xBE3VbtFk4Fa4f9JSTpaTYKN18Fzl0FE1vfGk2xpY3Dt6M45sgyNmb1cFpQVY6+TgUPgGwaOYBvb1veOemALuO1lXmwIlF6i2o8mYzWln9ShZJb3YWXS/17M2zEq2rbWPp7ugC7UKgtKCfgBleBmj44FWkNL1mhxApp5UzOPjLk+bnMrpN45JxrSyk5yntwMIA6yajKZiyPBDuuDeGh2pOygpzNvS47ukZda9TF5CWryOEP5ODFydGzk8MDjCI+e/XjycH/+/3h0fE/X7KstgvAT8TMrMqPdwqF3x0O3aOHB+6PeDKlKomuM6tYTuoC1ZCqYrl/Af/VKvvz4cHQ/u+Q5Nr8+Wh4ODwaHunK/Pnw6EnTdyprk8nthWpY9uWmWMXBGrVXo73AXmIytDHFw6ybMrYxclJRyVe3ibYafNBxJ4dCVwd0QnlRK9bLk8KIG/GmzXlSGHdz3oQwN/ZOcX1zrZNDueqYTgpJe82w77m+ITACFu3j0hJnU217xIbTIdGOcImWBYCoH0dTzAfN3OUJHKtwfXFXPdTXZky1Q3AD7NdCqnID+lu5iN23YLfhf7Achr1lQYNgWrMa+SQs4sDu5eHBQU8BuJJygQE4zrO5lDXsWYkRmlSAFdIVMYLLMtWaT4VOANLN+6MdYkExM1ozSz0iLgOx5nxHtCh8iaaW4qrZnCXRTPcS/HDpxmyZ7sKG+jlbCsAvM4y2inqgv5nHN9xZKBkVwFnnTCU3+KCzW8SCC8dy6d1oJaorr4QkBjm4SdMbRsDU6qbizCcrCs21AfMz4tJ761qna/d5C7H2qvDZdwK8cNx6K3BWyvRe0OBk9n4QrT0rLgb2WrPF5LTdRMzGy1dSYLWxpN1dHa0NaX1R4gS0c3M4mJuaa6EYzZeO7eRsQuvCkMultgpANGEk3OccDSYAKS0w42/BdWoKOY0MOUyKUwKhnIB1UkgBXoLzl27ynVe1khXbPy21YSqn5c7j5AyPx4rN0XHhH7+82nkMHhFBfv75pCwjcXNa+Kf2Dp6eHBzsPG6d5W1VSHzPkFxABDlNu0avW1iLq0hP5xLyNkPOQqw6DuEfVjcdphWKJ9wpx85X96P/vLasH9TUb/l1iGame0kBl5kmY8sVmhZW53qyv4I33jtMwLwCvDKW7LPTudrhXqGjWsuMx9LAoKb5mn6NQnN6YLn1vrPceL6BDh/YUKueSM1cNXB0GsCU515ZJW/Q0mfR+t8/nr/5H185XEe/lcv8heJ/4NhGbcerFt2cDTqZMLSu2sdb6/FUk5Tcd8aou7i5N0yRWcUDX1Nf9B5ALJmhGDcLLpIW+8qZXf6WmNdLGHxFNhymaRct9QTm7saq3B8/hV0Os7R1jpAQUsgFYVQvLYiGAQmNl4jQ8HJP5EblZHuIrt1axN2F4lDQHePrLOv86fzl49WIjTS3bVjSzN4uHFx0ojjuMblY5qzZmcID4V1kKZ8iTYPD1hKMLVAJPiwoMjO0aFWn7ChHx4fPmjDeL2NwFiXQcEqZ8wlvMwe5EFtLaEbpYCfYBZOJ6mYLVtRsy+Z6Qc3MK7VdGtX8j03wvCrKGpZmx7A7DWlX5FEwlEh7oaF57nW3kR0L4t/AVT563FIvqZoyc71FVFzBDIBs0Dj0siy4uGkFPW8xAR/QBcZScCkNSM4VKBkOkhZG6q2x1CsXygnc9ANwUxXv30l01qPLFqtFQk7DqaZMpgraT+7jGv3sJybTYL2MKntJi/VVaDQJ+9yTtJQMFamO1Gzwk6SrNBQ9p5TlTPFgYzMsm4FtPrYMsJCdXySxM+ikVHu6rqqCB2/lRsrN15Oh99Vn532FmXlfWVbeV5+R95CN93Vm432NmXhfQRZe97Lg5Vf4YrUEuwrZPkkscMmcqTUGn8MzLqgcGi+wgs1pOJxOK0vcwJ9S2uSrymz60ulMIWhB6kZI98/+81ozkS/A0zATubL8JJNlVRsMH3bVokJHqbNLjJf1baH6DZZpR6hoVsH+T7EQUDN5wMdeg1oIakpv0HAaLmzXCngN8cFuxBlV+YIqNiBzrkxNC1/oSQ/IS6gIklTbASMU+Vs9ZkowA+2BcnanOhoqm3HDssSpda/JUpUPlvONHJL5Ouf844tn18+a5RoeqiY8VE24O0gPVRM2x9mDnvZQNWH7VROs/NwSJLs/u7HT6ohpHIlJWu15n+vCuaXJyEM2srpDac+vYqZWWAq2U2xxd61Wd68t9lDPSQs4neqARx/T5BrGYBLyAFzkzpse9Fer4nIxhQgFF5C+togqasoupBldghazI2jPB5hqY+HTKmKABsSr/iIG26lk8bPbyv45t0Wfb9fSJhjTXN47UGVCkQklfoDiYBjt4ZgkRHr9XtMCTONhTFdSDKsyYBqeBcBZ52L2EmSFw15rK0kUyVnGc0iQtborkFFk7NI+39p4qYcTWvJiuSXR9O6S4Pjkkbf1KZbPqBmQnI05FQMyUYyNdT4gCy5yuYju/1hFD57swF0X26rP0dF5XX0M0PK9z8dnn/vM3n4VlGYWB2/kb3TO2iu4sSr/F1sDzhbAhjuXogsXL9R1DQ2Phwd7h4dHey4vrA39FhWaFfj34csJ9lch/D/b0Ppr85eC2M/n6N7qRlIPSD2uhanX0TpVC96h9d7qCtsDflMaOTwYHh4PDxvQbivYxbcDbbHfH6VylcF9tWLXk9Z5Hhp12O0Q0NR4FCosj6CQ/LwcJAowRF4num64rA/Slq9JDfLU4xFldRixT2b31Dp5qDjUpK6HikMPFYceKg593RWHZsY0rPg/X11dwOe79CixL4Vw2KGvD0NGtSpGPjCVYTR10lUTgFSFh9c1xd3cnu9fGMt8OeypeHtbQMatVW8vG/EZTTAJzNpG74sXz1eD6IJptnSGr9x1BDdjLZQ/s6KQZCFVkfdDuwVcXklDi1bESwujjyywcNhnjFo9oKtcHR4/6UdwycxMbi3Rr4FSnKqVAI1EjqkBUC5mzNKcASNJIRdMQc63ZaG+BtWQXDKXKCuzuvRxXmFs7Uq27Jz7sHqr5b06u9zpmsemzAxIBbVjqtr0oglaRKutBWy9d8PHlJoUc53dtLxHn+zvjws5Hbpvh5ks91uw60oKzb74OcdpNz3oKZBf9qSvg3P1Uffwfumz7qD9tMPugNaGmlr3mHo3BX11ik0TpzhRv8X3+KDpJtvuFQ/gWnVnPhymnU58vSkn0V+7j7cKdLQ50UaZHwm5nWlmziaSGRa/jTvkO5/pZKEKXhBXKayTvYgdBBrJzwuqxGhARlA0zf7BexJFmVKN5Wwz4dansTXyuOxifAIubRcvgKOfPJHoxBOs0VRwg+53Q2ooERPU1oqqRj3Ec7R7KhrLEY7csF5xQ6pILaTQBN8XkLEjppl6fi/cKGmCaCs/1C120FmQTwAOY87onIXcI203FWORM19PEUMM0TLARCaxWYIigi1IwQXT0E1untxS7P2mYFRA4loT5M/NXyZauvTk3V3QA6ysT43DY28BA23hs9OYwf0Gjoo3S3f2gzUds2VSbvA2+eqWon0+16YZ54H2lLKshcM/hgXLOVOeg8SgEoK7kOTsuDgNnXY38k98UlSIH71VraOdReQLBd0lLqPCzhxbzDQ5xavblM+ZwAjddFbH4Soljcxk0SxVRNWYG0VVNP0Tl9jq8smgJKHGQ1HyTEmfxzQACqSFljDZEk9+fFjfLCsWzWk8+31AJjRjYylvBsQsuDHoteCaLNKKRJbVxDJRscgnmTORJ9WUIGQauymG8GIrYvMQThwKJuAp2M+t4n1+gTHUegBVxfWAJGMuuPJpg1+hak55sxPcffdn2UWVC1Uto6jQoIjDjoylPTdcMVe/rZHdP3KVqeBNl3SfllX33/tCPwMy8ofV/YSyi8ed0HXZRcCTZy8aCHAcxCyvt9cJ8xRNWVDqEzLKgGknhezPL7DSpKMmqsmCFYVjcmE9/vjFaIUm/xuGVHRKjJTFHp0KqQ3PrPYocqoanTbDsJNCLtLNeM2oEpi0Tk24Gk25mdVjuBRZAoHSavsBeXs837O6Wk954JPZu3/Sb49//qc3Pz198/f9F7Nz9Z8Xv2fH//Xvfxz8ubEVgTS2oN7svPSDez3Ns2uj6GTCs+Gv4j2z68HyS1GcnvwqyK8BOb+SPxEuxrIW+a+CkD8RWZvkExeGKUEL/GQpKH6qBRDur+JX8cuMiXTMklZVUqDY9Y+1wmsPW+qVMTnU1akdBIGUKDbpmIFz2WF2NYF4Jbv4OWeLIcKwYmKPGqlIxRQvmWEKAWkAvRlMEZAGBPZfcGW4ydKRw6TDnTY5Odw36GYi1YKqnOXXnxN8kLTkCHnq7rgmPzkFuVLyY0+tqh+OhofDw2GzeAqngl5j+NKWGMz56dtTcuG5w1uYijzyJ3exWAwtDEOppvsomKG27b7nJ3sIXPeL4ceZKYskif7S8RGQV76OiX9LO/5DC6hpARwMNJ63zPxYyAWWV4O/nMU2jFvIqb/11c5k27emDsKbKYfbdougcjReEgleTig2Lr301TGEzculNrQ/gdXuFz7hDbA/r0uKE7hukE8Sue7dHqEbf+kRu/7HqJ85AdwveI+aRgpPNdu4yr5+7m8XUWZCTAVhH4cg0QakAIr6jWZWk7RIs7I3arhfn+YW/CPBPe6h3gYKLy3BUx1oOWFiqLWDK5XGQhCM/A3nSY9haB4QMVzQpWVOdV4NiMmqAeHV/Nkez8pqQJjJho+/PsybrIX4LcUlnKPQeXd5DmnYBQrRRRo/4Mn6tcXi0OLuGDGY3JIqzbIBqXgJCP360GmBTkwDrlJNo2XEu/S7dfkfIrzerRVSsYzTwlPwICTHYhxc50qNxSVC4d2cGZaZgR8fXsLqIrePuNeUb065Soq9NjNeQ4QIJVmtjSxD2gcOCi3IwdvtltqqeSLFhE/r2IrESKJqsTkCiJYTY6dLaqE101AmXLEFLQo9sBquqiGkBzHEpdivFCwRhvJBiV6HTLREzYSWKlS4WrBxA4pkEggCL6TWpG9oi8jTizcOGzpts+qpITXgUKwGvcJ+4xgUDo5hJGI5SCvF4Tp1IAXta70gOeioMK9Bsa+w4sZ0dVbIG2db/b1mNQ5MXl29hsQlKYBq/F3PlYputjFx5OQtTYqBaRAKWuUM+gM4fEBH2Fdnl3cwOj0k2zwk29wdpIdkm81x9pBs85Bs800n27RzbYL0bdo/Ps0o022R2j/8F2tz2lBUH7IeHrIeHrIeHrIe7j/rQTPFabFdg7G/X7vJnLy/rYjW/TUH890GUrYamrqsK2zPlEt2tBdDrzl5Q3QcaVkxPeyLuvGuApW2HfAXT4jCyTX8U2nXIuzjEv6QRcEgTAcvsfaveAXtiY3wYzZQ2vA+3ydSw8pxhjRmfdiCYH1v1XsgqYSxxLClKRX8j6jsezNP+/tb4kDScfz9ngnFsxkSDlzsV/UuKysqvJSWyumrDaJrRWqkgSGxN+mMFRWU5aZKUTH17XqMq3yb9PyhAoN0wGPQjNoPYMT13KVOxz8gTyUF9YvVi0npI6gHkas3SCmw4EtgwbeQ0xXYWVvtAlaQjmxx982jD79JzfAbVwu/YZ3wG1IIv2Ft8KtXBRMPaWjm4bjcRfLVxs20VzK30PW3X9JlVERpF3PwnM252fsOAhtDE2Ge7ye07IJKGnG1wIB9B9ZhBbl4E8ME0YYuta9/7Lv7YjduGvpngYJYcXTUQKZiIce0SCrRe3CjQWmz+lfTTTIQPi0GTCm6dOESgCSqpuBIS+1kb6DPpNMncHmVkoZlBpwn3PB5Iwmyo3e6j3tEhxTNPbJXhD9rHe4Ue8S3/2lGUbCPLKuhC8KWUHE6hu4wDMN13Q56rMTZOydkv9Zqf8zFvl/bl6hb6U6ck0Jho+zVAtpMkIwWBYOU8amiZUiA1LzkBe3pBNwGvro1S/ROWSMX4Qh2hc/RcTMwqerM/flZKxcUCsW47dy1y+sDpHXl/cxGKle+y2pKSa5hStcVcHRw+Gzv4One0ZOrgxcnB09PnhwPXzx98l+tThszxWi+WUr4nTB0BQOT85e3bxBw/W1TNkzSinexOITvB5jlgKQOflIXF1Kl54KcUYFh3OPYZ9OchCGTUgeEkrGSCw22B58c4oDwvGDBxqSiU5Z0UpXYzb65RQupbriYXmN8U6d59r2mubm5SJjLmy+CCG1zq5ks2T4tsGFFTByLgQFOpr9Pvlor02NrHYZ90H210gnNeMGNFc4Vn0tsR6xkDb30K86ypIMVdGfxmw0GEnhAt9uquHB4zRg0YS+pWFolLIPQAHu1fXV26bs6XaUguKGxWR7YcPAGWQ7wagyZBV4WQtMqO4UvUyWdYwrkt66kyOMpcukvgowcFoejsJJTaPyrmAkGH4uh6EJgepDkD40ZqaHIEbTZD9aTgYv3HEQi8JFwA5IVHNqC+UepyENwVBqACkVAwD5QVdBTtijI+YVXK4yM0PNqNEDdioK6IxzSXGUDjDY8vyBG8TmnRbEcECFJSY2BBBcWxAQ3MBlVLB+Q8TIE7aRTndDheJgN89FdzAybtODod96cFiEf7vxC4x5LkTSiTm/y3fify82if9xzPXlBjnhcbYgQjJJJIVyk0iQY4lw4hWJTqnKMU9Ea24vH5zW2SechltKqmxjKmkmVNCr+USpydXYR+gIB0wxgImwZ4/azQxAXHApNXP79rQvjfKR9wX6vl59dJLAMYRKsFxOCb9szuRq4xbKDD799zRh4oX0/ROAKLtiG0MzU3mmLkXxMlWQnjLeD5ZInQa1MoRAtwLWvMAY/u2uG9y13M6o8K3HFYjNkbLo1RboOx5AuGxNQ6GUFq3AjxlAgLPbxWy2yeI/Bk+7e7hssojYWAolD2tOL27iHDnufs+qePMPh9/0Smn1V8NpFc8vlSyoMz3xwvcvKYh+xNZLjZ/FGZK9qk7qwj825XS7/gyXmTUEypuAiGBOjPK9SYY4JLQrPq3xH/4waNpVqiczKJcRpw4uCMAEN9eCxFaktFmETbnVkNyytKiUrxalhxfIulzPk5NtSh9BZgK32cGOC6MCkSs9gyjGf1rLWxRKpGd4Jqs7CokWH2wG4Jqhl4wNCfTE+LFwDJfykpZMhIX+PmHVFHNP6JHiqFF3ENASk+9HQfeFyZJtqnLCSISYw5jWGo+G9cmTlDxTAGSJYowHJmRVZkLLqi1vHZoEgZ3i7ueR954/9FRLHoPR6TL1zXh3XWxrOT9d+8qIZX46LugWyTyp0g9Dg+K22VQ8hcw8hcw8hcw8hcw8hc990yNwnRqztdkPWfMBapCy8frb8weT8Yn5svzi/mD+LikdL1n6xSLe+MLvPy1K7cOlpnyLYW0bL2xOe7mawlFA2ZOW6H+ppPtTTfKinSR7qaX5r9TRdYRN4LjGr+a9uCbXyZVHaRhqT/iZVT4sjqyA54BZUk0wWBfSgviWcasJF7kpMeeqErHAky1AHzM9tn/QRC5vbEFg1YyVTtNhisY9Xfo6UPUmnFXrwH/EJ6ADQllw/bld64nnSpQLMPZrQTEmtiWLg2HK1c0ZuQDh9uYSeT6arD76gx5OnBweTppazjeO022XNvuBeLQRaVxHi7pKdqQJPYBGamC4bqHNFBkp6wzThhlRSaz5G51EgnTA0kFCSeIk0K1iHoPo6X3hDvrL7VDHFmcjAYaV1zTQaC+1YiuV2Aa7FWLTpoxs/jOub1fMcywbEUAq4h3liR2MaF1NovuzalnV2NH/ynD1l4wk7oOxZdvzD86N8zH6YHBw+P6aHz548H49fHB0/n9xWIOH+e1p4Co+RvO789wTzpler8CKE9zraB2kEjpBQW6KQCw2XrIUM6Il3LD8W9LjwrEJF4vOKgf091HLHa6BoOC95oz6Fa5IRThuIt7QXS4Gl1hx4dhtzbnXOcW1X7utd4d6qGnwhQeLMpDa6n3zRdO9N1W6xBEvCuKW0AhNcDjkkcMsJeVVQbXjmHEsJmmEJLvPYi2lUwmttmGpcldCp8VdGje4OwbXFTs4mtC4MVCSqgm804MtA22jgyGFMPiFCEj9GaEjSUwQxXcNemvKaxA+YrVhoXNsbGL9Fp/+YYPk7nS540fs7XVo76sc9crbBJK1EBy6ZKAx+JSs4JQwSU5Lh1DWhaxLjoEUdYdBQ72DU2Pi+6pjp743t2F6Y++5/+PDU5oYER0tD5+nuSuRhUGtB3hBqTw2GjjODHddbOs88TkkD+XULmw2PhmldBfTHNNS/+M0a7Q+fut075x0+ABVaB/abdU+bIyVuuFsccKn7yHnhvko3kXN4PbiJvhI3Ee6HsyalZYw6JqUv5itCkB58RQ++ovsB6cFXtDnOHnxFD76ib8pXhNX4vjVfkYOabNtXtLl0/4IOo57FPziMHhxGDw4j8uAw+tYcRrVCjuWsBR/ev4aPq00FH96/9pd71zGT6LqCKp+Yg2cnMgBORRXs5Yf3r10BP/dkCIyfMTJWjGKShVwIwoWRRGczZpkL3qAGkDLm3pfE8/5NzAJ9V7z7OzQv3Y3doVsVg9BAYGexWAydpWqYyZ2mrRayazIK1gPAZ0mXGE7twn2tmoDVBgGvGH5eLGPqLm0ujbiMHLADQ48GzQYuDj/WtwaVdSpDpxV3tXfWgY6K2FxCA68TRafl9jpM7Vppm5jbalUQOjGuWsjo+1GCaCOrnZYFdPT9yPdLce1hUAt3QLd4xhYz388nKCot/YOdiJd2P10CD4Rg15rF3VomBhmsKBHWxQW0MwQJPxqQxYxBIoBpdIhRLJNCG1WDFdJSD8aYe4tQ0xqVqjE9XdGa239yfPxkH22u//r7nxs22O+NbFbK7e9XdJ/CCvvvwBpdyyIgER0yl8Jqu/r1W2lc7DoXPfVKB2l5mjycTqjT6jdzgIk4VKfbQzNIjSvk1N367Ktcuwzn32ptYtC/r1ZrGdvKfj8h0yu8Foal4ARdUB0AHTQYb687+JM21o624ueW8q91spP3vecXbvjeZp0RBrMtBekCegw15k54kEPQzvCWK8g9JNom15AOHMfHT7rZpcdPGkBBlti2DqZlvjCBI+Jg4QB48RdcW+8awjmwOG0RW4fH/yvwePYRChYn7SbSWSDTBSVs6P0lpH0XTmhiQsfqUgns8KrxlacozDeuTXhqkEyGi8WgjjBi6PpUVibCA6DjkyP3dstV1/BFkzEzC8aimIdcrIVE5aElyFBr2tbeXsLoq88AcJedFp/FLNrRSa88RnhX8KmOAr3lW20ak5AwlxSChpqsb09UvHI6eMep1l9wCB5FuQTNjdmcBmHtNLamo+3HpGAHnaPFiIG9OL2o2G840+4o+AseNvoxMyrgNZ777Fev0od8XScp4ZiBF9NhqbxLANY/0C7yDZlEvgFryD/aEPJgA7nVBvLVmT++WsuHZuqaTv2VKOHsJH67AX/HMTyXjxGc9pLvqiD54hdBsjjgruydz5VAmsmFa5e6YOMQYQIBNkldTKw+QZXVFuoAqtcvNmfJ2PfiS51kN1t7S/jFzIcQfKluTgmFIOo6QF3SCVX8S15oPwi3ofNmlFEkrh5v/h+8KOj+0+EBeYRo/GdydvHBoZS8uySHR9eH2FDT13J7TE6rqmC/sPHfuNl/dvB0eDg8fBrYyaO//Xz15vUA3/mJZTfyMXFxT/uHR8MD8kaOecH2D5++Ojx+4fC0/+ygXcr2oTh2L9QPxbEfimN/HsT/a4tjbxfU/+hy3RWiwXLB7/bsJCdkzKBVEBXZTCr8uJfJsgQwnS7xV3ymMdtfYNAzb47AV+D1EDLpLw+gXBaulIgrb/3divhHgLfV9KEPJWs7ObhVN0a2kA0NL9kfMdoPB6YFDxbQiprZibufth4u+VRRnM+omjVHx7U0hpXj31gW2nfDh+tbV/KXIMUCZmEffZcsQKeLKm1CAJ34GwBExWnlJK/sS61Sm1CmJs+5KxNkdXeIc3Ux+TBPKBiW7iHpjyhftYNrwIqgJSHbjY3sUEd3Ey0Rpc+t3T8YtJfsugP30uja0SFMloH5wudBbEraVxxzQTiLOTr2auROb1bIOo8H9cx+9LYPiGanLqGtB9Nv3K+oj2eNV7UlAZb71BGa59fwwLUf0leOkyo9yo1VwwvDSklL+tEcELiQ+2Xv43oaTdVd94qlx5+knBYMV4zU2DM5L+mU9UxNS75Hx1l+ePSkl5XG2c/tCOT8ZbAxIJ5CahMu+XtyaskE87OKPGUHIaSJGToMKAEk30JnvQ+vpbNkDg9gTBVcP01YUHj+zjNtcHRac216fpLZXNrTdcJg1k/mXhgmL2w6lxNgvOBmeb2B2Fj/1qazOhrfdOM652vTeTAOcaM5Go/2ju/5US6zG6BVx5Be+s89xwt/g/SkdtKJ+82eaz2Tylyj/DshE1polqgrON9eYEYr1IoAFumVjqukmJOIaSxOP7IShPW/0ou0FVNZjnP32YDTibR57Z1mbb252aSfPl1Bx6zQlnFevXv5zmpwC2IkKWllmaxm/9qBpaFOkfUqFVmvWiBPRxCGnnKtPI90+zN+6hnk3OpDCbU6sWBf9zmZw4RAoQt+H3k6ufHq7DJNMeIhZ4hlergsi6F7DtPOqXKB2lLsxTdbpmUEfT2lr96ahv3XDzGWsmBUbIjeScQI+BzjtnfnlXo4rnnRnbK7o0F67xy+eHl48MPOZuC8uyQwQ7OtTB8gmcxZ7zlYB4s2iplstjkwfhbfrTVQ4E09ZkowzBlydPi39LuecePvQdlram5xUJJS4XquGl+6lbM2gF5Pc22MVzLvZzt3OswJBirp2nf3TlX38PBPnelC5uTD+cvuRJDbUNHs/hYVR+xOJvMOy//MybyxrjuZY5d/+mzGnPx8XdKq4mLqnt3504anKIHYCZKSVl2QwcvkaoV+bXAnsPUDrxgkMmpm7neL47grNjpnVSGXEGB4rxPHcVdMDHnqk7q49yUnA6+Y+hY96FMnDsPeOm2/0vf58+K4TsDEliydhiw94/oK+0GuhEttnxxI273cRQiwj5uqnb5UfafDB+lRPd2Kf5OFvOF0j9ZG5lxncp5eTv4NfyUv3S9Lkj5Hkpv3rdaTnqFSKezgCEOuMn+654ZoYmqai+9gO/SWYMzUI3ISAEjswf1z8nV26FVWRJrNnP92Bmbx4FVvVq1n3Bf9tkjISV5jY31DlamrhvEWFGGpSkx2DNZPiCCoqKIlMwzKN40Z2CvtvkGje4YRb/iF/YgBbjwH0DSbQ22jiiqjMajr/GJA0sYbPB9A1AT4rRogUZFjtwewSfah0FXgq5TM68zcHZFXLrMYz64bxqqJYW3rpv1kcmlMu6uDi+NRMvPjW6ZOWkPecWbX9DFJrMblJ7SgQwWcdh66h8Nnf9x59g/vX5OZvXxCbQuYzlErQLIO6VmtWl6b5jVpxay/hJB3vz4suoEk7q6UtDYzJgzHtFcfCu3ZWiGnkYu9llMy4QUCjOEe6xw1hX+84KLph2kss5DToX1smAQj96FWsd9rrlgeLxG3IBzmbhVds6AAFqBpTRo+HsJdAVt9rZcAyDDDj7FXywkZ7c+p2i/kdN+1PizkdDTsrtOF1jdrb3z2Yi8bBTY6S5ZT5w/z64aa+i5ntAdIOZlo1uQpScT1p20DjuliRSupDLSjFQxZsia07USzl11a3heGLOXiiGQxYwKwYA955AGYhOAO5K42uazNrj0N9m+m1G4TPC6q2qSW3ggOaAW3YgUGwMpDrf2Ke4X9E0DQNPMcAJVIlNAQJlaFCnN4a9EIS0pJTOh3eR44uXYdPhw//JEXDJyqyCAcuTdWjd5KzX6vWdux9DkU4gdMtAhgkmnwbqCLpQaGgX10lvdHpW5Awj4aRaN5GAU2l4qbZT8o/td7A8UPGKK+YZ512ABlg5vlNdxR75OHzuqS4nEBf7CfaP2mbB0MP1ELjNAmEXvM3ScAoukatMP3cM5JQae9ZXjSwfolDrzqZ+jb6pkx1RDbyWg2dBL4umBi2pKaPf7pxqtjmS+HacGgtW6cVsjn7ReuaOUMa+6+svqW1g4+7+5gAzzLpFq3+DuqZYHtuaEwfD+w3tWcyE9dyrwuNovzaDy6Fu2W1K/BmW9oWW00eKZYUotx7ejopBpSY9S9RpKk40bydoYze6lhYs6VFGCamVPF7WnWZKG4MUxAfUQYYVeTf7t89xb2xh6sKSQ7Kz6PQcqt8rhUMSwJF0OBQNBDiiiW2AtarxOCzXGdhOzEuiBqY1WXO192chZkcdrZtaVOZGX1ibOcn725cEVhukN2fNebD9kTD8Onnz7kT/1DeoVYD1H2rxKiK4Y9rY0UspS1DjGKMExrlrQKypanigtqdIL/NP7kA1Ia/fxb3ffxvtIGbj0CvibQbujkhm4oW5I4J1nxbKWIiN+vs2Laid1AnfGhDoOJNo5eStlogjCSo5cef2B63/r0idwVyyvPjtF0p7thy/tA3A1bDprtJ/2VBH93FxPIyY99qlfANC5kdtORdxG+PC32uwkuasMUeZTJsoKqT/ljnILEKTowzBjNmdKduSGpb7PJT5OWnQgIDuoid33d6rg7A4+ZJCga/9v5lxu2/MsJ+RfA4192ht/93wAAAP//QK6Hvg==" + return "" } diff --git a/filebeat/module/santa/_meta/fields.yml b/filebeat/module/santa/_meta/fields.yml index 60ae1de7a65..fea0b03a78c 100644 --- a/filebeat/module/santa/_meta/fields.yml +++ b/filebeat/module/santa/_meta/fields.yml @@ -63,8 +63,3 @@ - name: certificate.sha256 type: keyword description: SHA256 hash of code signing certificate. - - # Auditbeat FIM is using this field for the same purpose. - - name: hash.sha256 - type: keyword - description: Hash of process executable. diff --git a/filebeat/module/santa/fields.go b/filebeat/module/santa/fields.go index d13c1c57a8f..cc67c59b2b2 100644 --- a/filebeat/module/santa/fields.go +++ b/filebeat/module/santa/fields.go @@ -32,5 +32,5 @@ func init() { // AssetSanta returns asset data. // This is the base64 encoded gzipped contents of module/santa. func AssetSanta() string { - return "eJyUlF9v2jAQwN/5FKfuZXsoWpnoAw+TMqBrNVARqbS9TSa+EIskZ/kuW/n2k50Uwp+swBPY59/vzr7jFja4HQGrUlQPQIzkOIKb70TrHCH2yzc9AI2cOGPFUDmCrz0AqPdgTrrKsQeQGsw1j8LWLZSqwD3Vf2RrcQRrR5VtVs4w95jm556lEh+4W34DbnD7l5xureOrKqwvYvprOm6tH+iimnZi0ZgYvtITzWbPP7tEkwYIkimpL0SDEG36p3KHiq9Tj6fLly7zMtAgJQeSoa+MQyZnxAVpvEY773I+W3RKTLkOSKC07pIzSm14c6Jsd8cJ+yF0Rqhn8hT/iBaLabRs2oL7rVPtTjzW/qG8KvBg60jzkmETFY60Um9zVhW/B/EV+jiwjoQSyjtQjM6o/CJaHQplVazQdWXG2n854u2eznPu+MtFum/x5H934J/4OO/9UCwWsynE8QTi+efh3WB2kTEgO3Tp8Y3vXMqe7J3HN++6MaWGj6nJkbcsWITu+9RZZVXKNXSrJGtYb4wEnZjUJEqwn1BRUPm79Ubnxu3AMA5HAgtSRwUkfrjYrEs/aW14t5YzNRjeX2qMH6PB8B4yxZkf4nd8HyCqtJEVKoGHpzkYhop9qGSG63Hc/Q2xL8JWzhJj/yBbL7syzccmP+soQWbAV0wqUasc+71/AQAA//8U7uy0" + return "eJyUk82O2jAQgO88xWhP7WFRl4o95FAphfRHBS0iK7W3yhtPiJXEE9lOW96+spMFk8QtcCJj+/s8npl7KPEYgWbSsBmAEabCCO4+Ex0qhNSG72YAHHWmRGMEyQg+zACgW4Mt8bbCGUAusOI6ckv3IFmNZ6r9mWODERwUtU0fmWCeMf3nmcUyu/EUfgWWePxNintx/MPqxiaR/EhWXvxCF3e0kYVjJvSNnnizefoeEq17IJiCme5BOBiicj6WK2T6NvUq2T+HzHtHg5wUmAJtZtrdZEJcE8dbtNuQ86lBxYyQB4cEyrsumVByocuR0u+OEfuT6wyXz/pr+i3e7ZJ437eFnnun/E4can9R1dZ4sTTQPBfY73JHvKv7nJdW/w9iM7T7oFFkKKMqgNKoBKuuonVbQbb1C6rQzTS3fwa8U+ks50G/v0r3MV3/6w1siYf3Pg/FbrdJIE3XkG7fLR8Wm6uMDhnQ5cMXP7lYM1qbxvd1LYXk8CYXFeqjNli77nsbzLKV5hZ6w0zRs14ZGSojcpExg/OM6prkT69GU+N2YVi5I44FuaIaMjtcWhyknTQfHtbqgi2Wj9ca0y/xYvkIBdOFHeKw728AAAD//5mnu+4=" } diff --git a/heartbeat/docs/fields.asciidoc b/heartbeat/docs/fields.asciidoc index c99fc1e3733..891a80fb944 100644 --- a/heartbeat/docs/fields.asciidoc +++ b/heartbeat/docs/fields.asciidoc @@ -484,6 +484,34 @@ example: 6.0.0-rc2 -- +[float] +=== as + +An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. + + +*`as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + [float] === client @@ -502,6 +530,28 @@ type: keyword -- +*`client.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`client.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`client.bytes`*:: + -- @@ -633,6 +683,28 @@ type: keyword -- +*`client.nat.ip`*:: ++ +-- +Translated IP of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`client.nat.port`*:: ++ +-- +Translated port of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`client.packets`*:: + -- @@ -655,6 +727,16 @@ format: string -- +*`client.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`client.user.email`*:: + -- @@ -885,6 +967,28 @@ type: keyword -- +*`destination.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`destination.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`destination.bytes`*:: + -- @@ -1016,6 +1120,28 @@ type: keyword -- +*`destination.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`destination.nat.port`*:: ++ +-- +Port the source session is translated to by NAT Device. +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`destination.packets`*:: + -- @@ -1038,6 +1164,16 @@ format: string -- +*`destination.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`destination.user.email`*:: + -- @@ -1106,6 +1242,198 @@ example: albert -- +[float] +=== dns + +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). + + +*`dns.answers`*:: ++ +-- +An array containing an object for each answer section returned by the server. +The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. +Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + +type: object + +-- + +*`dns.answers.class`*:: ++ +-- +The class of DNS data contained in this resource record. + +type: keyword + +example: IN + +-- + +*`dns.answers.data`*:: ++ +-- +The data describing the resource. +The meaning of this data depends on the type and class of the resource record. + +type: keyword + +example: 10.10.10.10 + +-- + +*`dns.answers.name`*:: ++ +-- +The domain name to which this resource record pertains. +If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + +type: keyword + +example: www.google.com + +-- + +*`dns.answers.ttl`*:: ++ +-- +The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + +type: long + +example: 180 + +-- + +*`dns.answers.type`*:: ++ +-- +The type of data contained in this resource record. + +type: keyword + +example: CNAME + +-- + +*`dns.header_flags`*:: ++ +-- +Array of 2 letter DNS header flags. +Expected values are: AA, TC, RD, RA, AD, CD, DO. + +type: keyword + +example: ['RD', 'RA'] + +-- + +*`dns.id`*:: ++ +-- +The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + +type: keyword + +example: 62111 + +-- + +*`dns.op_code`*:: ++ +-- +The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + +type: keyword + +example: QUERY + +-- + +*`dns.question.class`*:: ++ +-- +The class of of records being queried. + +type: keyword + +example: IN + +-- + +*`dns.question.name`*:: ++ +-- +The name being queried. +If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + +type: keyword + +example: www.google.com + +-- + +*`dns.question.registered_domain`*:: ++ +-- +The highest registered domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`dns.question.type`*:: ++ +-- +The type of record being queried. + +type: keyword + +example: AAAA + +-- + +*`dns.resolved_ip`*:: ++ +-- +Array containing all IPs seen in `answers.data`. +The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + +type: ip + +example: ['10.10.10.10', '10.10.10.11'] + +-- + +*`dns.response_code`*:: ++ +-- +The DNS response code. + +type: keyword + +example: NOERROR + +-- + +*`dns.type`*:: ++ +-- +The type of DNS event captured, query or answer. +If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. +If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + +type: keyword + +example: answer + +-- + [float] === ecs @@ -1191,6 +1519,18 @@ example: user-management -- +*`event.code`*:: ++ +-- +Identification code for this event, if one exists. +Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + +type: keyword + +example: 4648 + +-- + *`event.created`*:: + -- @@ -1207,11 +1547,12 @@ type: date + -- Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. +It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword -example: stats +example: apache.access -- @@ -1274,11 +1615,11 @@ example: state + -- Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. +If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. type: keyword -example: mysql +example: apache -- @@ -1306,6 +1647,18 @@ example: success -- +*`event.provider`*:: ++ +-- +Source of the event. +Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + +type: keyword + +example: kernel + +-- + *`event.risk_score`*:: + -- @@ -1325,6 +1678,18 @@ type: float -- +*`event.sequence`*:: ++ +-- +Sequence number of the event. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. + +type: long + +format: string + +-- + *`event.severity`*:: + -- @@ -1363,60 +1728,133 @@ type: keyword Reserved for future usage. Please avoid using this field for user data. -type: keyword +type: keyword + +-- + +[float] +=== file + +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. + + +*`file.accessed`*:: ++ +-- +Last time the file was accessed. +Note that not all filesystems keep track of access time. + +type: date + +-- + +*`file.created`*:: ++ +-- +File creation time. +Note that not all filesystems store the creation time. + +type: date + +-- + +*`file.ctime`*:: ++ +-- +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + +type: date + +-- + +*`file.device`*:: ++ +-- +Device that is the source of the file. + +type: keyword + +example: sda + +-- + +*`file.directory`*:: ++ +-- +Directory where the file is located. + +type: keyword + +example: /home/alice + +-- + +*`file.extension`*:: ++ +-- +File extension. + +type: keyword + +example: png + +-- +*`file.gid`*:: ++ -- +Primary group ID (GID) of the file. -[float] -=== file +type: keyword -A file is defined as a set of information that has been created on, or has existed on a filesystem. -File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +example: 1001 +-- -*`file.ctime`*:: +*`file.group`*:: + -- -Last time file metadata changed. +Primary group name of the file. -type: date +type: keyword + +example: alice -- -*`file.device`*:: +*`file.hash.md5`*:: + -- -Device that is the source of the file. +MD5 hash. type: keyword -- -*`file.extension`*:: +*`file.hash.sha1`*:: + -- -File extension. -This should allow easy filtering by file extensions. +SHA1 hash. type: keyword -example: png - -- -*`file.gid`*:: +*`file.hash.sha256`*:: + -- -Primary group ID (GID) of the file. +SHA256 hash. type: keyword -- -*`file.group`*:: +*`file.hash.sha512`*:: + -- -Primary group name of the file. +SHA512 hash. type: keyword @@ -1429,6 +1867,8 @@ Inode representing the file in the filesystem. type: keyword +example: 256383 + -- *`file.mode`*:: @@ -1438,19 +1878,30 @@ Mode of the file in octal representation. type: keyword -example: 416 +example: 0640 -- *`file.mtime`*:: + -- -Last time file content was modified. +Last time the file content was modified. type: date -- +*`file.name`*:: ++ +-- +Name of the file including the extension, without the directory. + +type: keyword + +example: example.png + +-- + *`file.owner`*:: + -- @@ -1458,24 +1909,31 @@ File owner's username. type: keyword +example: alice + -- *`file.path`*:: + -- -Path to the file. +Full path to the file. type: keyword +example: /home/alice/example.png + -- *`file.size`*:: + -- -File size in bytes (field is only added when `type` is `file`). +File size in bytes. +Only relevant when `file.type` is "file". type: long +example: 16384 + -- *`file.target_path`*:: @@ -1494,6 +1952,8 @@ File type (file, dir, or symlink). type: keyword +example: file + -- *`file.uid`*:: @@ -1503,6 +1963,8 @@ The user ID (UID) or security identifier (SID) of the file owner. type: keyword +example: 1001 + -- [float] @@ -1626,6 +2088,49 @@ type: keyword -- +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + [float] === host @@ -1859,6 +2364,27 @@ type: keyword -- +*`host.uptime`*:: ++ +-- +Seconds the host has been up. + +type: long + +example: 1325 + +-- + +*`host.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`host.user.email`*:: + -- @@ -2072,6 +2598,17 @@ example: err -- +*`log.logger`*:: ++ +-- +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + +type: keyword + +example: org.elasticsearch.bootstrap.Bootstrap + +-- + *`log.original`*:: + -- @@ -2587,6 +3124,42 @@ example: /usr/bin/ssh -- +*`process.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.name`*:: + -- @@ -2599,6 +3172,17 @@ example: ssh -- +*`process.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + *`process.pid`*:: + -- @@ -2649,6 +3233,17 @@ format: string -- +*`process.thread.name`*:: ++ +-- +Thread name. + +type: keyword + +example: thread-0 + +-- + *`process.title`*:: + -- @@ -2659,6 +3254,17 @@ type: keyword -- +*`process.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + *`process.working_directory`*:: + -- @@ -2705,6 +3311,28 @@ type: keyword -- +*`server.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`server.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`server.bytes`*:: + -- @@ -2836,6 +3464,28 @@ type: keyword -- +*`server.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`server.nat.port`*:: ++ +-- +Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`server.packets`*:: + -- @@ -2858,6 +3508,16 @@ format: string -- +*`server.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`server.user.email`*:: + -- @@ -2948,9 +3608,9 @@ example: 8a4f500f *`service.id`*:: + -- -Unique identifier of the running service. -This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. -Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance. +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. type: keyword @@ -3023,6 +3683,28 @@ type: keyword -- +*`source.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`source.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`source.bytes`*:: + -- @@ -3154,6 +3836,28 @@ type: keyword -- +*`source.nat.ip`*:: ++ +-- +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`source.nat.port`*:: ++ +-- +Translated port of source based NAT sessions. (e.g. internal client to internet) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`source.packets`*:: + -- @@ -3176,6 +3880,16 @@ format: string -- +*`source.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`source.user.email`*:: + -- @@ -3244,6 +3958,36 @@ example: albert -- +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + [float] === url @@ -3365,6 +4109,16 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +*`user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`user.email`*:: + -- diff --git a/heartbeat/include/fields.go b/heartbeat/include/fields.go index 64eaedfe347..0d6f44cb2b0 100644 --- a/heartbeat/include/fields.go +++ b/heartbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/journalbeat/docs/fields.asciidoc b/journalbeat/docs/fields.asciidoc index 238b8307dd5..47bef69ce21 100644 --- a/journalbeat/docs/fields.asciidoc +++ b/journalbeat/docs/fields.asciidoc @@ -1061,6 +1061,34 @@ example: 6.0.0-rc2 -- +[float] +=== as + +An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. + + +*`as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + [float] === client @@ -1079,6 +1107,28 @@ type: keyword -- +*`client.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`client.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`client.bytes`*:: + -- @@ -1210,6 +1260,28 @@ type: keyword -- +*`client.nat.ip`*:: ++ +-- +Translated IP of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`client.nat.port`*:: ++ +-- +Translated port of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`client.packets`*:: + -- @@ -1232,6 +1304,16 @@ format: string -- +*`client.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`client.user.email`*:: + -- @@ -1462,6 +1544,28 @@ type: keyword -- +*`destination.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`destination.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`destination.bytes`*:: + -- @@ -1593,6 +1697,28 @@ type: keyword -- +*`destination.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`destination.nat.port`*:: ++ +-- +Port the source session is translated to by NAT Device. +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`destination.packets`*:: + -- @@ -1615,6 +1741,16 @@ format: string -- +*`destination.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`destination.user.email`*:: + -- @@ -1683,6 +1819,198 @@ example: albert -- +[float] +=== dns + +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). + + +*`dns.answers`*:: ++ +-- +An array containing an object for each answer section returned by the server. +The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. +Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + +type: object + +-- + +*`dns.answers.class`*:: ++ +-- +The class of DNS data contained in this resource record. + +type: keyword + +example: IN + +-- + +*`dns.answers.data`*:: ++ +-- +The data describing the resource. +The meaning of this data depends on the type and class of the resource record. + +type: keyword + +example: 10.10.10.10 + +-- + +*`dns.answers.name`*:: ++ +-- +The domain name to which this resource record pertains. +If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + +type: keyword + +example: www.google.com + +-- + +*`dns.answers.ttl`*:: ++ +-- +The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + +type: long + +example: 180 + +-- + +*`dns.answers.type`*:: ++ +-- +The type of data contained in this resource record. + +type: keyword + +example: CNAME + +-- + +*`dns.header_flags`*:: ++ +-- +Array of 2 letter DNS header flags. +Expected values are: AA, TC, RD, RA, AD, CD, DO. + +type: keyword + +example: ['RD', 'RA'] + +-- + +*`dns.id`*:: ++ +-- +The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + +type: keyword + +example: 62111 + +-- + +*`dns.op_code`*:: ++ +-- +The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + +type: keyword + +example: QUERY + +-- + +*`dns.question.class`*:: ++ +-- +The class of of records being queried. + +type: keyword + +example: IN + +-- + +*`dns.question.name`*:: ++ +-- +The name being queried. +If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + +type: keyword + +example: www.google.com + +-- + +*`dns.question.registered_domain`*:: ++ +-- +The highest registered domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`dns.question.type`*:: ++ +-- +The type of record being queried. + +type: keyword + +example: AAAA + +-- + +*`dns.resolved_ip`*:: ++ +-- +Array containing all IPs seen in `answers.data`. +The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + +type: ip + +example: ['10.10.10.10', '10.10.10.11'] + +-- + +*`dns.response_code`*:: ++ +-- +The DNS response code. + +type: keyword + +example: NOERROR + +-- + +*`dns.type`*:: ++ +-- +The type of DNS event captured, query or answer. +If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. +If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + +type: keyword + +example: answer + +-- + [float] === ecs @@ -1768,6 +2096,18 @@ example: user-management -- +*`event.code`*:: ++ +-- +Identification code for this event, if one exists. +Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + +type: keyword + +example: 4648 + +-- + *`event.created`*:: + -- @@ -1784,11 +2124,12 @@ type: date + -- Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. +It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword -example: stats +example: apache.access -- @@ -1851,11 +2192,11 @@ example: state + -- Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. +If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. type: keyword -example: mysql +example: apache -- @@ -1883,6 +2224,18 @@ example: success -- +*`event.provider`*:: ++ +-- +Source of the event. +Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + +type: keyword + +example: kernel + +-- + *`event.risk_score`*:: + -- @@ -1902,6 +2255,18 @@ type: float -- +*`event.sequence`*:: ++ +-- +Sequence number of the event. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. + +type: long + +format: string + +-- + *`event.severity`*:: + -- @@ -1940,60 +2305,133 @@ type: keyword Reserved for future usage. Please avoid using this field for user data. -type: keyword +type: keyword + +-- + +[float] +=== file + +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. + + +*`file.accessed`*:: ++ +-- +Last time the file was accessed. +Note that not all filesystems keep track of access time. + +type: date + +-- + +*`file.created`*:: ++ +-- +File creation time. +Note that not all filesystems store the creation time. + +type: date + +-- + +*`file.ctime`*:: ++ +-- +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + +type: date + +-- + +*`file.device`*:: ++ +-- +Device that is the source of the file. + +type: keyword + +example: sda + +-- + +*`file.directory`*:: ++ +-- +Directory where the file is located. + +type: keyword + +example: /home/alice + +-- + +*`file.extension`*:: ++ +-- +File extension. + +type: keyword + +example: png + +-- +*`file.gid`*:: ++ -- +Primary group ID (GID) of the file. -[float] -=== file +type: keyword -A file is defined as a set of information that has been created on, or has existed on a filesystem. -File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +example: 1001 +-- -*`file.ctime`*:: +*`file.group`*:: + -- -Last time file metadata changed. +Primary group name of the file. -type: date +type: keyword + +example: alice -- -*`file.device`*:: +*`file.hash.md5`*:: + -- -Device that is the source of the file. +MD5 hash. type: keyword -- -*`file.extension`*:: +*`file.hash.sha1`*:: + -- -File extension. -This should allow easy filtering by file extensions. +SHA1 hash. type: keyword -example: png - -- -*`file.gid`*:: +*`file.hash.sha256`*:: + -- -Primary group ID (GID) of the file. +SHA256 hash. type: keyword -- -*`file.group`*:: +*`file.hash.sha512`*:: + -- -Primary group name of the file. +SHA512 hash. type: keyword @@ -2006,6 +2444,8 @@ Inode representing the file in the filesystem. type: keyword +example: 256383 + -- *`file.mode`*:: @@ -2015,19 +2455,30 @@ Mode of the file in octal representation. type: keyword -example: 416 +example: 0640 -- *`file.mtime`*:: + -- -Last time file content was modified. +Last time the file content was modified. type: date -- +*`file.name`*:: ++ +-- +Name of the file including the extension, without the directory. + +type: keyword + +example: example.png + +-- + *`file.owner`*:: + -- @@ -2035,24 +2486,31 @@ File owner's username. type: keyword +example: alice + -- *`file.path`*:: + -- -Path to the file. +Full path to the file. type: keyword +example: /home/alice/example.png + -- *`file.size`*:: + -- -File size in bytes (field is only added when `type` is `file`). +File size in bytes. +Only relevant when `file.type` is "file". type: long +example: 16384 + -- *`file.target_path`*:: @@ -2071,6 +2529,8 @@ File type (file, dir, or symlink). type: keyword +example: file + -- *`file.uid`*:: @@ -2080,6 +2540,8 @@ The user ID (UID) or security identifier (SID) of the file owner. type: keyword +example: 1001 + -- [float] @@ -2203,6 +2665,49 @@ type: keyword -- +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + [float] === host @@ -2436,6 +2941,27 @@ type: keyword -- +*`host.uptime`*:: ++ +-- +Seconds the host has been up. + +type: long + +example: 1325 + +-- + +*`host.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`host.user.email`*:: + -- @@ -2649,6 +3175,17 @@ example: err -- +*`log.logger`*:: ++ +-- +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + +type: keyword + +example: org.elasticsearch.bootstrap.Bootstrap + +-- + *`log.original`*:: + -- @@ -3164,6 +3701,42 @@ example: /usr/bin/ssh -- +*`process.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.name`*:: + -- @@ -3176,6 +3749,17 @@ example: ssh -- +*`process.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + *`process.pid`*:: + -- @@ -3226,6 +3810,17 @@ format: string -- +*`process.thread.name`*:: ++ +-- +Thread name. + +type: keyword + +example: thread-0 + +-- + *`process.title`*:: + -- @@ -3236,6 +3831,17 @@ type: keyword -- +*`process.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + *`process.working_directory`*:: + -- @@ -3282,6 +3888,28 @@ type: keyword -- +*`server.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`server.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`server.bytes`*:: + -- @@ -3413,6 +4041,28 @@ type: keyword -- +*`server.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`server.nat.port`*:: ++ +-- +Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`server.packets`*:: + -- @@ -3435,6 +4085,16 @@ format: string -- +*`server.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`server.user.email`*:: + -- @@ -3525,9 +4185,9 @@ example: 8a4f500f *`service.id`*:: + -- -Unique identifier of the running service. -This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. -Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance. +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. type: keyword @@ -3600,6 +4260,28 @@ type: keyword -- +*`source.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`source.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`source.bytes`*:: + -- @@ -3731,6 +4413,28 @@ type: keyword -- +*`source.nat.ip`*:: ++ +-- +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`source.nat.port`*:: ++ +-- +Translated port of source based NAT sessions. (e.g. internal client to internet) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`source.packets`*:: + -- @@ -3753,6 +4457,16 @@ format: string -- +*`source.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`source.user.email`*:: + -- @@ -3821,6 +4535,36 @@ example: albert -- +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + [float] === url @@ -3942,6 +4686,16 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +*`user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`user.email`*:: + -- diff --git a/journalbeat/include/fields.go b/journalbeat/include/fields.go index 9620d7b679b..b0fe0018d7d 100644 --- a/journalbeat/include/fields.go +++ b/journalbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/libbeat/_meta/fields.ecs.yml b/libbeat/_meta/fields.ecs.yml index 206ed71cb0d..37a5f7a0512 100644 --- a/libbeat/_meta/fields.ecs.yml +++ b/libbeat/_meta/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.0.1. +# based on ECS version 1.1.0. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs @@ -110,6 +110,27 @@ ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 + - name: as + title: Autonomous System + group: 2 + description: An autonomous system (AS) is a collection of connected Internet Protocol + (IP) routing prefixes under the control of one or more network operators on + behalf of a single administrative entity or domain that presents a common, clearly + defined routing policy to the internet. + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization.name + level: extended + type: keyword + ignore_above: 1024 + description: Organization name. + example: Google LLC - name: client title: Client group: 2 @@ -140,6 +161,18 @@ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.' + - name: as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: as.organization.name + level: extended + type: keyword + ignore_above: 1024 + description: Organization name. + example: Google LLC - name: bytes level: core type: long @@ -215,6 +248,21 @@ type: keyword ignore_above: 1024 description: MAC address of the client. + - name: nat.ip + level: extended + type: ip + description: 'Translated IP of source based NAT sessions (e.g. internal client + to internet). + + Typically connections traversing load balancers, firewalls, or routers.' + - name: nat.port + level: extended + type: long + format: string + description: 'Translated port of source based NAT sessions (e.g. internal client + to internet). + + Typically connections traversing load balancers, firewalls, or routers.' - name: packets level: core type: long @@ -225,6 +273,13 @@ type: long format: string description: Port of the client. + - name: user.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' - name: user.email level: extended type: keyword @@ -381,6 +436,18 @@ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.' + - name: as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: as.organization.name + level: extended + type: keyword + ignore_above: 1024 + description: Organization name. + example: Google LLC - name: bytes level: core type: long @@ -456,6 +523,20 @@ type: keyword ignore_above: 1024 description: MAC address of the destination. + - name: nat.ip + level: extended + type: ip + description: 'Translated ip of destination based NAT sessions (e.g. internet + to private DMZ) + + Typically used with load balancers, firewalls, or routers.' + - name: nat.port + level: extended + type: long + format: string + description: 'Port the source session is translated to by NAT Device. + + Typically used with load balancers, firewalls, or routers.' - name: packets level: core type: long @@ -466,6 +547,13 @@ type: long format: string description: Port of the destination. + - name: user.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' - name: user.email level: extended type: keyword @@ -507,6 +595,159 @@ ignore_above: 1024 description: Short name or login of the user. example: albert + - name: dns + title: DNS + group: 2 + description: 'Fields describing DNS queries and answers. + + DNS events should either represent a single DNS query prior to getting answers + (`dns.type:query`) or they should represent a full exchange and contain the + query details as well as all of the answers that were provided for this query + (`dns.type:answer`).' + type: group + fields: + - name: answers + level: extended + type: object + object_type: keyword + description: 'An array containing an object for each answer section returned + by the server. + + The main keys that should be present in these objects are defined by ECS. + Records that have more information may contain more keys than what ECS defines. + + Not all DNS data sources give all details about DNS answers. At minimum, answer + objects must contain the `data` key. If more information is available, map + as much of it to ECS as possible, and add any additional fields to the answer + objects as custom fields.' + - name: answers.class + level: extended + type: keyword + ignore_above: 1024 + description: The class of DNS data contained in this resource record. + example: IN + - name: answers.data + level: extended + type: keyword + ignore_above: 1024 + description: 'The data describing the resource. + + The meaning of this data depends on the type and class of the resource record.' + example: 10.10.10.10 + - name: answers.name + level: extended + type: keyword + ignore_above: 1024 + description: 'The domain name to which this resource record pertains. + + If a chain of CNAME is being resolved, each answer''s `name` should be the + one that corresponds with the answer''s `data`. It should not simply be the + original `question.name` repeated.' + example: www.google.com + - name: answers.ttl + level: extended + type: long + description: The time interval in seconds that this resource record may be cached + before it should be discarded. Zero values mean that the data should not be + cached. + example: 180 + - name: answers.type + level: extended + type: keyword + ignore_above: 1024 + description: The type of data contained in this resource record. + example: CNAME + - name: header_flags + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of 2 letter DNS header flags. + + Expected values are: AA, TC, RD, RA, AD, CD, DO.' + example: + - RD + - RA + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: The DNS packet identifier assigned by the program that generated + the query. The identifier is copied to the response. + example: 62111 + - name: op_code + level: extended + type: keyword + ignore_above: 1024 + description: The DNS operation code that specifies the kind of query in the + message. This value is set by the originator of a query and copied into the + response. + example: QUERY + - name: question.class + level: extended + type: keyword + ignore_above: 1024 + description: The class of of records being queried. + example: IN + - name: question.name + level: extended + type: keyword + ignore_above: 1024 + description: 'The name being queried. + + If the name field contains non-printable characters (below 32 or above 126), + those characters should be represented as escaped base 10 integers (\DDD). + Back slashes and quotes should be escaped. Tabs, carriage returns, and line + feeds should be converted to \t, \r, and \n respectively.' + example: www.google.com + - name: question.registered_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The highest registered domain, stripped of the subdomain. + + For example, the registered domain for "foo.google.com" is "google.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: google.com + - name: question.type + level: extended + type: keyword + ignore_above: 1024 + description: The type of record being queried. + example: AAAA + - name: resolved_ip + level: extended + type: ip + description: 'Array containing all IPs seen in `answers.data`. + + The `answers` array can be difficult to use, because of the variety of data + formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` + makes it possible to index them as IP addresses, and makes them easier to + visualize and query for.' + example: + - 10.10.10.10 + - 10.10.10.11 + - name: response_code + level: extended + type: keyword + ignore_above: 1024 + description: The DNS response code. + example: NOERROR + - name: type + level: extended + type: keyword + ignore_above: 1024 + description: 'The type of DNS event captured, query or answer. + + If your source of DNS events only gives you DNS queries, you should only create + dns events of type `dns.type:query`. + + If your source of DNS events gives you answers as well, you should create + one event per query (optionally as soon as the query is seen). And a second + event containing all query details as well as an array of answers.' + example: answer - name: ecs title: ECS group: 2 @@ -585,6 +826,16 @@ multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.' example: user-management + - name: code + level: extended + type: keyword + ignore_above: 1024 + description: 'Identification code for this event, if one exists. + + Some event sources use event codes to identify messages unambiguously, regardless + of message language or wording adjustments over time. An example of this is + the Windows Event ID.' + example: 4648 - name: created level: core type: date @@ -606,10 +857,13 @@ ignore_above: 1024 description: 'Name of the dataset. - The concept of a `dataset` (fileset / metricset) is used in Beats as a subset - of modules. It contains the information which is currently stored in metricset.name - and metricset.module or fileset.name.' - example: stats + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access - name: duration level: core type: long @@ -656,8 +910,10 @@ ignore_above: 1024 description: 'Name of the module this data is coming from. - This information is coming from the modules used in Beats or Logstash.' - example: mysql + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache - name: original level: core type: keyword @@ -679,6 +935,17 @@ versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.' example: success + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: 'Source of the event. + + Event transports such as Syslog or the Windows Event Log typically mention + the source of an event. It can be the name of the software that generated + the event (e.g. Sysmon, httpd), or of a subsystem of the operating system + (kernel, Microsoft-Windows-Security-Auditing).' + example: kernel - name: risk_score level: core type: float @@ -692,6 +959,14 @@ This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.' + - name: sequence + level: extended + type: long + format: string + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regarless of the timestamp precision.' - name: severity level: core type: long @@ -734,62 +1009,116 @@ the event or metric.' type: group fields: + - name: accessed + level: extended + type: date + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + - name: created + level: extended + type: date + description: 'File creation time. + + Note that not all filesystems store the creation time.' - name: ctime level: extended type: date - description: Last time file metadata changed. + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' - name: device level: extended type: keyword ignore_above: 1024 description: Device that is the source of the file. + example: sda + - name: directory + level: extended + type: keyword + ignore_above: 1024 + description: Directory where the file is located. + example: /home/alice - name: extension level: extended type: keyword ignore_above: 1024 - description: 'File extension. - - This should allow easy filtering by file extensions.' + description: File extension. example: png - name: gid level: extended type: keyword ignore_above: 1024 description: Primary group ID (GID) of the file. + example: '1001' - name: group level: extended type: keyword ignore_above: 1024 description: Primary group name of the file. + example: alice + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. - name: inode level: extended type: keyword ignore_above: 1024 description: Inode representing the file in the filesystem. + example: '256383' - name: mode level: extended type: keyword ignore_above: 1024 description: Mode of the file in octal representation. - example: 416 + example: '0640' - name: mtime level: extended type: date - description: Last time file content was modified. + description: Last time the file content was modified. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the file including the extension, without the directory. + example: example.png - name: owner level: extended type: keyword ignore_above: 1024 description: File owner's username. + example: alice - name: path level: extended type: keyword ignore_above: 1024 - description: Path to the file. + description: Full path to the file. + example: /home/alice/example.png - name: size level: extended type: long - description: File size in bytes (field is only added when `type` is `file`). + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 - name: target_path level: extended type: keyword @@ -800,11 +1129,13 @@ type: keyword ignore_above: 1024 description: File type (file, dir, or symlink). + example: file - name: uid level: extended type: keyword ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' - name: geo title: Geo group: 2 @@ -885,6 +1216,36 @@ type: keyword ignore_above: 1024 description: Name of the group. + - name: hash + title: Hash + group: 2 + description: 'The hash fields represent different hash algorithms and their values. + + Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for + other hashes by lowercasing the hash algorithm name and using underscore separators + as appropriate (snake case, e.g. sha3_512).' + type: group + fields: + - name: md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. - name: host title: Host group: 2 @@ -1033,6 +1394,18 @@ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: uptime + level: extended + type: long + description: Seconds the host has been up. + example: 1325 + - name: user.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' - name: user.email level: extended type: keyword @@ -1158,6 +1531,13 @@ Some examples are `warn`, `error`, `i`.' example: err + - name: logger + level: core + type: keyword + ignore_above: 1024 + description: The name of the logger inside an application. This is usually the + name of the class which initialized the logger, or can be a custom name. + example: org.elasticsearch.bootstrap.Bootstrap - name: original level: core type: keyword @@ -1516,6 +1896,26 @@ ignore_above: 1024 description: Absolute path to the process executable. example: /usr/bin/ssh + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. - name: name level: extended type: keyword @@ -1524,6 +1924,11 @@ Sometimes called program name or similar.' example: ssh + - name: pgid + level: extended + type: long + format: string + description: Identifier of the group of processes the process belongs to. - name: pid level: core type: long @@ -1547,6 +1952,12 @@ format: string description: Thread ID. example: 4242 + - name: thread.name + level: extended + type: keyword + ignore_above: 1024 + description: Thread name. + example: thread-0 - name: title level: extended type: keyword @@ -1555,6 +1966,11 @@ The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' + - name: uptime + level: extended + type: long + description: Seconds the process has been up. + example: 1325 - name: working_directory level: extended type: keyword @@ -1611,6 +2027,18 @@ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.' + - name: as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: as.organization.name + level: extended + type: keyword + ignore_above: 1024 + description: Organization name. + example: Google LLC - name: bytes level: core type: long @@ -1686,6 +2114,21 @@ type: keyword ignore_above: 1024 description: MAC address of the server. + - name: nat.ip + level: extended + type: ip + description: 'Translated ip of destination based NAT sessions (e.g. internet + to private DMZ) + + Typically used with load balancers, firewalls, or routers.' + - name: nat.port + level: extended + type: long + format: string + description: 'Translated port of destination based NAT sessions (e.g. internet + to private DMZ) + + Typically used with load balancers, firewalls, or routers.' - name: packets level: core type: long @@ -1696,6 +2139,13 @@ type: long format: string description: Port of the server. + - name: user.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' - name: user.email level: extended type: keyword @@ -1758,13 +2208,15 @@ level: core type: keyword ignore_above: 1024 - description: 'Unique identifier of the running service. + description: 'Unique identifier of the running service. If the service is comprised + of many nodes, the `service.id` should be the same for all nodes. - This id should uniquely identify this service. This makes it possible to correlate - logs and metrics for one specific service. + This id should uniquely identify the service. This makes it possible to correlate + logs and metrics for one specific service, no matter which particular node + emitted the event. - Example: If you are experiencing issues with one redis instance, you can filter - on that id to see metrics and logs for that single instance.' + Note that if you need to see the events from one specific host of the service, + you should filter on that `host.name` or `host.id` instead.' example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - name: name level: core @@ -1826,6 +2278,18 @@ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.' + - name: as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: as.organization.name + level: extended + type: keyword + ignore_above: 1024 + description: Organization name. + example: Google LLC - name: bytes level: core type: long @@ -1901,6 +2365,21 @@ type: keyword ignore_above: 1024 description: MAC address of the source. + - name: nat.ip + level: extended + type: ip + description: 'Translated ip of source based NAT sessions (e.g. internal client + to internet) + + Typically connections traversing load balancers, firewalls, or routers.' + - name: nat.port + level: extended + type: long + format: string + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' - name: packets level: core type: long @@ -1911,6 +2390,13 @@ type: long format: string description: Port of the source. + - name: user.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' - name: user.email level: extended type: keyword @@ -1952,6 +2438,33 @@ ignore_above: 1024 description: Short name or login of the user. example: albert + - name: tracing + title: Tracing + group: 2 + description: Distributed tracing makes it possible to analyze performance throughout + a microservice architecture all in one view. This is accomplished by tracing + all of the requests - from the initial web request in the front-end service + - to queries made through multiple back-end services. + type: group + fields: + - name: trace.id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier of the trace. + + A trace groups multiple events like transactions that belong together. For + example, a user request handled by multiple inter-connected services.' + example: 4bf92f3577b34da6a3ce929d0e0e4736 + - name: transaction.id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier of the transaction. + + A transaction is the highest level of work measured within a service, such + as a request to a server.' + example: 00f067aa0ba902b7 - name: url title: URL group: 2 @@ -2044,6 +2557,13 @@ provide an array that includes all of them.' type: group fields: + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' - name: email level: extended type: keyword diff --git a/metricbeat/_meta/fields.common.yml b/metricbeat/_meta/fields.common.yml index 5b1f2f8bca0..6430a727918 100644 --- a/metricbeat/_meta/fields.common.yml +++ b/metricbeat/_meta/fields.common.yml @@ -20,11 +20,6 @@ description: > Current data collection period for this event in milliseconds. - - name: process.pgid - type: long - description: > - Process group id. - - name: service.address description: > Address of the machine where the service is running. This diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index 351aef9ecd8..d71928f2423 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -3417,16 +3417,6 @@ type: integer -- -*`process.pgid`*:: -+ --- -Process group id. - - -type: long - --- - *`service.address`*:: + -- @@ -5975,6 +5965,34 @@ example: 6.0.0-rc2 -- +[float] +=== as + +An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. + + +*`as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + [float] === client @@ -5993,6 +6011,28 @@ type: keyword -- +*`client.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`client.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`client.bytes`*:: + -- @@ -6124,6 +6164,28 @@ type: keyword -- +*`client.nat.ip`*:: ++ +-- +Translated IP of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`client.nat.port`*:: ++ +-- +Translated port of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`client.packets`*:: + -- @@ -6146,6 +6208,16 @@ format: string -- +*`client.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`client.user.email`*:: + -- @@ -6376,6 +6448,28 @@ type: keyword -- +*`destination.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`destination.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`destination.bytes`*:: + -- @@ -6507,6 +6601,28 @@ type: keyword -- +*`destination.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`destination.nat.port`*:: ++ +-- +Port the source session is translated to by NAT Device. +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`destination.packets`*:: + -- @@ -6529,6 +6645,16 @@ format: string -- +*`destination.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`destination.user.email`*:: + -- @@ -6597,6 +6723,198 @@ example: albert -- +[float] +=== dns + +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). + + +*`dns.answers`*:: ++ +-- +An array containing an object for each answer section returned by the server. +The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. +Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + +type: object + +-- + +*`dns.answers.class`*:: ++ +-- +The class of DNS data contained in this resource record. + +type: keyword + +example: IN + +-- + +*`dns.answers.data`*:: ++ +-- +The data describing the resource. +The meaning of this data depends on the type and class of the resource record. + +type: keyword + +example: 10.10.10.10 + +-- + +*`dns.answers.name`*:: ++ +-- +The domain name to which this resource record pertains. +If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + +type: keyword + +example: www.google.com + +-- + +*`dns.answers.ttl`*:: ++ +-- +The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + +type: long + +example: 180 + +-- + +*`dns.answers.type`*:: ++ +-- +The type of data contained in this resource record. + +type: keyword + +example: CNAME + +-- + +*`dns.header_flags`*:: ++ +-- +Array of 2 letter DNS header flags. +Expected values are: AA, TC, RD, RA, AD, CD, DO. + +type: keyword + +example: ['RD', 'RA'] + +-- + +*`dns.id`*:: ++ +-- +The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + +type: keyword + +example: 62111 + +-- + +*`dns.op_code`*:: ++ +-- +The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + +type: keyword + +example: QUERY + +-- + +*`dns.question.class`*:: ++ +-- +The class of of records being queried. + +type: keyword + +example: IN + +-- + +*`dns.question.name`*:: ++ +-- +The name being queried. +If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + +type: keyword + +example: www.google.com + +-- + +*`dns.question.registered_domain`*:: ++ +-- +The highest registered domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`dns.question.type`*:: ++ +-- +The type of record being queried. + +type: keyword + +example: AAAA + +-- + +*`dns.resolved_ip`*:: ++ +-- +Array containing all IPs seen in `answers.data`. +The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + +type: ip + +example: ['10.10.10.10', '10.10.10.11'] + +-- + +*`dns.response_code`*:: ++ +-- +The DNS response code. + +type: keyword + +example: NOERROR + +-- + +*`dns.type`*:: ++ +-- +The type of DNS event captured, query or answer. +If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. +If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + +type: keyword + +example: answer + +-- + [float] === ecs @@ -6682,6 +7000,18 @@ example: user-management -- +*`event.code`*:: ++ +-- +Identification code for this event, if one exists. +Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + +type: keyword + +example: 4648 + +-- + *`event.created`*:: + -- @@ -6698,11 +7028,12 @@ type: date + -- Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. +It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword -example: stats +example: apache.access -- @@ -6765,11 +7096,11 @@ example: state + -- Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. +If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. type: keyword -example: mysql +example: apache -- @@ -6797,16 +7128,28 @@ example: success -- -*`event.risk_score`*:: +*`event.provider`*:: + -- -Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +Source of the event. +Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). -type: float +type: keyword + +example: kernel -- -*`event.risk_score_norm`*:: +*`event.risk_score`*:: ++ +-- +Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + +type: float + +-- + +*`event.risk_score_norm`*:: + -- Normalized risk score or priority of the event, on a scale of 0 to 100. @@ -6816,6 +7159,18 @@ type: float -- +*`event.sequence`*:: ++ +-- +Sequence number of the event. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. + +type: long + +format: string + +-- + *`event.severity`*:: + -- @@ -6865,10 +7220,31 @@ A file is defined as a set of information that has been created on, or has exist File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +*`file.accessed`*:: ++ +-- +Last time the file was accessed. +Note that not all filesystems keep track of access time. + +type: date + +-- + +*`file.created`*:: ++ +-- +File creation time. +Note that not all filesystems store the creation time. + +type: date + +-- + *`file.ctime`*:: + -- -Last time file metadata changed. +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. type: date @@ -6881,13 +7257,25 @@ Device that is the source of the file. type: keyword +example: sda + +-- + +*`file.directory`*:: ++ +-- +Directory where the file is located. + +type: keyword + +example: /home/alice + -- *`file.extension`*:: + -- File extension. -This should allow easy filtering by file extensions. type: keyword @@ -6902,6 +7290,8 @@ Primary group ID (GID) of the file. type: keyword +example: 1001 + -- *`file.group`*:: @@ -6911,6 +7301,44 @@ Primary group name of the file. type: keyword +example: alice + +-- + +*`file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + -- *`file.inode`*:: @@ -6920,6 +7348,8 @@ Inode representing the file in the filesystem. type: keyword +example: 256383 + -- *`file.mode`*:: @@ -6929,19 +7359,30 @@ Mode of the file in octal representation. type: keyword -example: 416 +example: 0640 -- *`file.mtime`*:: + -- -Last time file content was modified. +Last time the file content was modified. type: date -- +*`file.name`*:: ++ +-- +Name of the file including the extension, without the directory. + +type: keyword + +example: example.png + +-- + *`file.owner`*:: + -- @@ -6949,24 +7390,31 @@ File owner's username. type: keyword +example: alice + -- *`file.path`*:: + -- -Path to the file. +Full path to the file. type: keyword +example: /home/alice/example.png + -- *`file.size`*:: + -- -File size in bytes (field is only added when `type` is `file`). +File size in bytes. +Only relevant when `file.type` is "file". type: long +example: 16384 + -- *`file.target_path`*:: @@ -6985,6 +7433,8 @@ File type (file, dir, or symlink). type: keyword +example: file + -- *`file.uid`*:: @@ -6994,6 +7444,8 @@ The user ID (UID) or security identifier (SID) of the file owner. type: keyword +example: 1001 + -- [float] @@ -7117,6 +7569,49 @@ type: keyword -- +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + [float] === host @@ -7350,6 +7845,27 @@ type: keyword -- +*`host.uptime`*:: ++ +-- +Seconds the host has been up. + +type: long + +example: 1325 + +-- + +*`host.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`host.user.email`*:: + -- @@ -7563,6 +8079,17 @@ example: err -- +*`log.logger`*:: ++ +-- +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + +type: keyword + +example: org.elasticsearch.bootstrap.Bootstrap + +-- + *`log.original`*:: + -- @@ -8078,6 +8605,42 @@ example: /usr/bin/ssh -- +*`process.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.name`*:: + -- @@ -8090,6 +8653,17 @@ example: ssh -- +*`process.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + *`process.pid`*:: + -- @@ -8140,6 +8714,17 @@ format: string -- +*`process.thread.name`*:: ++ +-- +Thread name. + +type: keyword + +example: thread-0 + +-- + *`process.title`*:: + -- @@ -8150,6 +8735,17 @@ type: keyword -- +*`process.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + *`process.working_directory`*:: + -- @@ -8196,6 +8792,28 @@ type: keyword -- +*`server.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`server.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`server.bytes`*:: + -- @@ -8327,6 +8945,28 @@ type: keyword -- +*`server.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`server.nat.port`*:: ++ +-- +Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`server.packets`*:: + -- @@ -8349,6 +8989,16 @@ format: string -- +*`server.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`server.user.email`*:: + -- @@ -8439,9 +9089,9 @@ example: 8a4f500f *`service.id`*:: + -- -Unique identifier of the running service. -This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. -Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance. +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. type: keyword @@ -8514,6 +9164,28 @@ type: keyword -- +*`source.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`source.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`source.bytes`*:: + -- @@ -8645,6 +9317,28 @@ type: keyword -- +*`source.nat.ip`*:: ++ +-- +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`source.nat.port`*:: ++ +-- +Translated port of source based NAT sessions. (e.g. internal client to internet) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`source.packets`*:: + -- @@ -8667,6 +9361,16 @@ format: string -- +*`source.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`source.user.email`*:: + -- @@ -8735,6 +9439,36 @@ example: albert -- +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + [float] === url @@ -8856,6 +9590,16 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +*`user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`user.email`*:: + -- diff --git a/metricbeat/include/fields/fields.go b/metricbeat/include/fields/fields.go index 905e6f8636d..2f4b31b9fd4 100644 --- a/metricbeat/include/fields/fields.go +++ b/metricbeat/include/fields/fields.go @@ -32,5 +32,5 @@ func init() { // AssetLibbeatFieldsYml returns asset data. // This is the base64 encoded gzipped contents of ../libbeat/fields.yml. func AssetLibbeatFieldsYml() string { - return "" + return "" } diff --git a/packetbeat/docs/fields.asciidoc b/packetbeat/docs/fields.asciidoc index db45b56f65f..aeb760ad794 100644 --- a/packetbeat/docs/fields.asciidoc +++ b/packetbeat/docs/fields.asciidoc @@ -2386,6 +2386,34 @@ example: 6.0.0-rc2 -- +[float] +=== as + +An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. + + +*`as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + [float] === client @@ -2404,6 +2432,28 @@ type: keyword -- +*`client.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`client.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`client.bytes`*:: + -- @@ -2535,6 +2585,28 @@ type: keyword -- +*`client.nat.ip`*:: ++ +-- +Translated IP of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`client.nat.port`*:: ++ +-- +Translated port of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`client.packets`*:: + -- @@ -2557,6 +2629,16 @@ format: string -- +*`client.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`client.user.email`*:: + -- @@ -2787,6 +2869,28 @@ type: keyword -- +*`destination.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`destination.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`destination.bytes`*:: + -- @@ -2918,6 +3022,28 @@ type: keyword -- +*`destination.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`destination.nat.port`*:: ++ +-- +Port the source session is translated to by NAT Device. +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`destination.packets`*:: + -- @@ -2940,6 +3066,16 @@ format: string -- +*`destination.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`destination.user.email`*:: + -- @@ -3008,6 +3144,198 @@ example: albert -- +[float] +=== dns + +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). + + +*`dns.answers`*:: ++ +-- +An array containing an object for each answer section returned by the server. +The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. +Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + +type: object + +-- + +*`dns.answers.class`*:: ++ +-- +The class of DNS data contained in this resource record. + +type: keyword + +example: IN + +-- + +*`dns.answers.data`*:: ++ +-- +The data describing the resource. +The meaning of this data depends on the type and class of the resource record. + +type: keyword + +example: 10.10.10.10 + +-- + +*`dns.answers.name`*:: ++ +-- +The domain name to which this resource record pertains. +If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + +type: keyword + +example: www.google.com + +-- + +*`dns.answers.ttl`*:: ++ +-- +The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + +type: long + +example: 180 + +-- + +*`dns.answers.type`*:: ++ +-- +The type of data contained in this resource record. + +type: keyword + +example: CNAME + +-- + +*`dns.header_flags`*:: ++ +-- +Array of 2 letter DNS header flags. +Expected values are: AA, TC, RD, RA, AD, CD, DO. + +type: keyword + +example: ['RD', 'RA'] + +-- + +*`dns.id`*:: ++ +-- +The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + +type: keyword + +example: 62111 + +-- + +*`dns.op_code`*:: ++ +-- +The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + +type: keyword + +example: QUERY + +-- + +*`dns.question.class`*:: ++ +-- +The class of of records being queried. + +type: keyword + +example: IN + +-- + +*`dns.question.name`*:: ++ +-- +The name being queried. +If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + +type: keyword + +example: www.google.com + +-- + +*`dns.question.registered_domain`*:: ++ +-- +The highest registered domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`dns.question.type`*:: ++ +-- +The type of record being queried. + +type: keyword + +example: AAAA + +-- + +*`dns.resolved_ip`*:: ++ +-- +Array containing all IPs seen in `answers.data`. +The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + +type: ip + +example: ['10.10.10.10', '10.10.10.11'] + +-- + +*`dns.response_code`*:: ++ +-- +The DNS response code. + +type: keyword + +example: NOERROR + +-- + +*`dns.type`*:: ++ +-- +The type of DNS event captured, query or answer. +If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. +If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + +type: keyword + +example: answer + +-- + [float] === ecs @@ -3093,6 +3421,18 @@ example: user-management -- +*`event.code`*:: ++ +-- +Identification code for this event, if one exists. +Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + +type: keyword + +example: 4648 + +-- + *`event.created`*:: + -- @@ -3109,11 +3449,12 @@ type: date + -- Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. +It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword -example: stats +example: apache.access -- @@ -3176,11 +3517,11 @@ example: state + -- Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. +If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. type: keyword -example: mysql +example: apache -- @@ -3208,6 +3549,18 @@ example: success -- +*`event.provider`*:: ++ +-- +Source of the event. +Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + +type: keyword + +example: kernel + +-- + *`event.risk_score`*:: + -- @@ -3227,6 +3580,18 @@ type: float -- +*`event.sequence`*:: ++ +-- +Sequence number of the event. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. + +type: long + +format: string + +-- + *`event.severity`*:: + -- @@ -3265,60 +3630,133 @@ type: keyword Reserved for future usage. Please avoid using this field for user data. -type: keyword +type: keyword + +-- + +[float] +=== file + +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. + + +*`file.accessed`*:: ++ +-- +Last time the file was accessed. +Note that not all filesystems keep track of access time. + +type: date + +-- + +*`file.created`*:: ++ +-- +File creation time. +Note that not all filesystems store the creation time. + +type: date + +-- + +*`file.ctime`*:: ++ +-- +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + +type: date + +-- + +*`file.device`*:: ++ +-- +Device that is the source of the file. + +type: keyword + +example: sda + +-- + +*`file.directory`*:: ++ +-- +Directory where the file is located. + +type: keyword + +example: /home/alice + +-- + +*`file.extension`*:: ++ +-- +File extension. + +type: keyword + +example: png + +-- +*`file.gid`*:: ++ -- +Primary group ID (GID) of the file. -[float] -=== file +type: keyword -A file is defined as a set of information that has been created on, or has existed on a filesystem. -File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +example: 1001 +-- -*`file.ctime`*:: +*`file.group`*:: + -- -Last time file metadata changed. +Primary group name of the file. -type: date +type: keyword + +example: alice -- -*`file.device`*:: +*`file.hash.md5`*:: + -- -Device that is the source of the file. +MD5 hash. type: keyword -- -*`file.extension`*:: +*`file.hash.sha1`*:: + -- -File extension. -This should allow easy filtering by file extensions. +SHA1 hash. type: keyword -example: png - -- -*`file.gid`*:: +*`file.hash.sha256`*:: + -- -Primary group ID (GID) of the file. +SHA256 hash. type: keyword -- -*`file.group`*:: +*`file.hash.sha512`*:: + -- -Primary group name of the file. +SHA512 hash. type: keyword @@ -3331,6 +3769,8 @@ Inode representing the file in the filesystem. type: keyword +example: 256383 + -- *`file.mode`*:: @@ -3340,19 +3780,30 @@ Mode of the file in octal representation. type: keyword -example: 416 +example: 0640 -- *`file.mtime`*:: + -- -Last time file content was modified. +Last time the file content was modified. type: date -- +*`file.name`*:: ++ +-- +Name of the file including the extension, without the directory. + +type: keyword + +example: example.png + +-- + *`file.owner`*:: + -- @@ -3360,24 +3811,31 @@ File owner's username. type: keyword +example: alice + -- *`file.path`*:: + -- -Path to the file. +Full path to the file. type: keyword +example: /home/alice/example.png + -- *`file.size`*:: + -- -File size in bytes (field is only added when `type` is `file`). +File size in bytes. +Only relevant when `file.type` is "file". type: long +example: 16384 + -- *`file.target_path`*:: @@ -3396,6 +3854,8 @@ File type (file, dir, or symlink). type: keyword +example: file + -- *`file.uid`*:: @@ -3405,6 +3865,8 @@ The user ID (UID) or security identifier (SID) of the file owner. type: keyword +example: 1001 + -- [float] @@ -3528,6 +3990,49 @@ type: keyword -- +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + [float] === host @@ -3761,6 +4266,27 @@ type: keyword -- +*`host.uptime`*:: ++ +-- +Seconds the host has been up. + +type: long + +example: 1325 + +-- + +*`host.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`host.user.email`*:: + -- @@ -3974,6 +4500,17 @@ example: err -- +*`log.logger`*:: ++ +-- +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + +type: keyword + +example: org.elasticsearch.bootstrap.Bootstrap + +-- + *`log.original`*:: + -- @@ -4489,6 +5026,42 @@ example: /usr/bin/ssh -- +*`process.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.name`*:: + -- @@ -4501,6 +5074,17 @@ example: ssh -- +*`process.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + *`process.pid`*:: + -- @@ -4551,6 +5135,17 @@ format: string -- +*`process.thread.name`*:: ++ +-- +Thread name. + +type: keyword + +example: thread-0 + +-- + *`process.title`*:: + -- @@ -4561,6 +5156,17 @@ type: keyword -- +*`process.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + *`process.working_directory`*:: + -- @@ -4607,6 +5213,28 @@ type: keyword -- +*`server.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`server.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`server.bytes`*:: + -- @@ -4738,6 +5366,28 @@ type: keyword -- +*`server.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`server.nat.port`*:: ++ +-- +Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`server.packets`*:: + -- @@ -4760,6 +5410,16 @@ format: string -- +*`server.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`server.user.email`*:: + -- @@ -4850,9 +5510,9 @@ example: 8a4f500f *`service.id`*:: + -- -Unique identifier of the running service. -This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. -Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance. +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. type: keyword @@ -4925,6 +5585,28 @@ type: keyword -- +*`source.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`source.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`source.bytes`*:: + -- @@ -5056,6 +5738,28 @@ type: keyword -- +*`source.nat.ip`*:: ++ +-- +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`source.nat.port`*:: ++ +-- +Translated port of source based NAT sessions. (e.g. internal client to internet) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`source.packets`*:: + -- @@ -5078,6 +5782,16 @@ format: string -- +*`source.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`source.user.email`*:: + -- @@ -5146,6 +5860,36 @@ example: albert -- +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + [float] === url @@ -5267,6 +6011,16 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +*`user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`user.email`*:: + -- diff --git a/packetbeat/include/fields.go b/packetbeat/include/fields.go index 8d2edae07a5..eea72ff9ee4 100644 --- a/packetbeat/include/fields.go +++ b/packetbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/as.go b/vendor/github.com/elastic/ecs/code/go/ecs/as.go new file mode 100644 index 00000000000..32451693f64 --- /dev/null +++ b/vendor/github.com/elastic/ecs/code/go/ecs/as.go @@ -0,0 +1,33 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// An autonomous system (AS) is a collection of connected Internet Protocol +// (IP) routing prefixes under the control of one or more network operators on +// behalf of a single administrative entity or domain that presents a common, +// clearly defined routing policy to the internet. +type AS struct { + // Unique number allocated to the autonomous system. The autonomous system + // number (ASN) uniquely identifies each network on the Internet. + Number int64 `ecs:"number"` + + // Organization name. + OrganizationName string `ecs:"organization.name"` +} diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/client.go b/vendor/github.com/elastic/ecs/code/go/ecs/client.go index 73bead64811..4aea0d36bbd 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/client.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/client.go @@ -58,4 +58,14 @@ type Client struct { // Packets sent from the client to the server. Packets int64 `ecs:"packets"` + + // Translated IP of source based NAT sessions (e.g. internal client to + // internet). + // Typically connections traversing load balancers, firewalls, or routers. + NatIP string `ecs:"nat.ip"` + + // Translated port of source based NAT sessions (e.g. internal client to + // internet). + // Typically connections traversing load balancers, firewalls, or routers. + NatPort int64 `ecs:"nat.port"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/destination.go b/vendor/github.com/elastic/ecs/code/go/ecs/destination.go index 26a70e9cb7b..4976afc54ee 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/destination.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/destination.go @@ -47,4 +47,13 @@ type Destination struct { // Packets sent from the destination to the source. Packets int64 `ecs:"packets"` + + // Translated ip of destination based NAT sessions (e.g. internet to + // private DMZ) + // Typically used with load balancers, firewalls, or routers. + NatIP string `ecs:"nat.ip"` + + // Port the source session is translated to by NAT Device. + // Typically used with load balancers, firewalls, or routers. + NatPort int64 `ecs:"nat.port"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/dns.go b/vendor/github.com/elastic/ecs/code/go/ecs/dns.go new file mode 100644 index 00000000000..17b930f84c8 --- /dev/null +++ b/vendor/github.com/elastic/ecs/code/go/ecs/dns.go @@ -0,0 +1,114 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// Fields describing DNS queries and answers. +// DNS events should either represent a single DNS query prior to getting +// answers (`dns.type:query`) or they should represent a full exchange and +// contain the query details as well as all of the answers that were provided +// for this query (`dns.type:answer`). +type Dns struct { + // The type of DNS event captured, query or answer. + // If your source of DNS events only gives you DNS queries, you should only + // create dns events of type `dns.type:query`. + // If your source of DNS events gives you answers as well, you should + // create one event per query (optionally as soon as the query is seen). + // And a second event containing all query details as well as an array of + // answers. + Type string `ecs:"type"` + + // The DNS packet identifier assigned by the program that generated the + // query. The identifier is copied to the response. + ID string `ecs:"id"` + + // The DNS operation code that specifies the kind of query in the message. + // This value is set by the originator of a query and copied into the + // response. + OpCode string `ecs:"op_code"` + + // Array of 2 letter DNS header flags. + // Expected values are: AA, TC, RD, RA, AD, CD, DO. + HeaderFlags string `ecs:"header_flags"` + + // The DNS response code. + ResponseCode string `ecs:"response_code"` + + // The name being queried. + // If the name field contains non-printable characters (below 32 or above + // 126), those characters should be represented as escaped base 10 integers + // (\DDD). Back slashes and quotes should be escaped. Tabs, carriage + // returns, and line feeds should be converted to \t, \r, and \n + // respectively. + QuestionName string `ecs:"question.name"` + + // The type of record being queried. + QuestionType string `ecs:"question.type"` + + // The class of of records being queried. + QuestionClass string `ecs:"question.class"` + + // The highest registered domain, stripped of the subdomain. + // For example, the registered domain for "foo.google.com" is "google.com". + // This value can be determined precisely with a list like the public + // suffix list (http://publicsuffix.org). Trying to approximate this by + // simply taking the last two labels will not work well for TLDs such as + // "co.uk". + QuestionRegisteredDomain string `ecs:"question.registered_domain"` + + // An array containing an object for each answer section returned by the + // server. + // The main keys that should be present in these objects are defined by + // ECS. Records that have more information may contain more keys than what + // ECS defines. + // Not all DNS data sources give all details about DNS answers. At minimum, + // answer objects must contain the `data` key. If more information is + // available, map as much of it to ECS as possible, and add any additional + // fields to the answer objects as custom fields. + Answers map[string]interface{} `ecs:"answers"` + + // The domain name to which this resource record pertains. + // If a chain of CNAME is being resolved, each answer's `name` should be + // the one that corresponds with the answer's `data`. It should not simply + // be the original `question.name` repeated. + AnswersName string `ecs:"answers.name"` + + // The type of data contained in this resource record. + AnswersType string `ecs:"answers.type"` + + // The class of DNS data contained in this resource record. + AnswersClass string `ecs:"answers.class"` + + // The time interval in seconds that this resource record may be cached + // before it should be discarded. Zero values mean that the data should not + // be cached. + AnswersTtl int64 `ecs:"answers.ttl"` + + // The data describing the resource. + // The meaning of this data depends on the type and class of the resource + // record. + AnswersData string `ecs:"answers.data"` + + // Array containing all IPs seen in `answers.data`. + // The `answers` array can be difficult to use, because of the variety of + // data formats it can contain. Extracting all IP addresses seen in there + // to `dns.resolved_ip` makes it possible to index them as IP addresses, + // and makes them easier to visualize and query for. + ResolvedIP string `ecs:"resolved_ip"` +} diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/event.go b/vendor/github.com/elastic/ecs/code/go/ecs/event.go index 56fcebe0561..f43b4f8f0a1 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/event.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/event.go @@ -37,6 +37,12 @@ type Event struct { // Unique ID to describe the event. ID string `ecs:"id"` + // Identification code for this event, if one exists. + // Some event sources use event codes to identify messages unambiguously, + // regardless of message language or wording adjustments over time. An + // example of this is the Windows Event ID. + Code string `ecs:"code"` + // The kind of the event. // This gives information about what type of information the event // contains, without being specific to the contents of the event. Examples @@ -71,15 +77,26 @@ type Event struct { Type string `ecs:"type"` // Name of the module this data is coming from. - // This information is coming from the modules used in Beats or Logstash. + // If your monitoring agent supports the concept of modules or plugins to + // process events of a given source (e.g. Apache logs), `event.module` + // should contain the name of this module. Module string `ecs:"module"` // Name of the dataset. - // The concept of a `dataset` (fileset / metricset) is used in Beats as a - // subset of modules. It contains the information which is currently stored - // in metricset.name and metricset.module or fileset.name. + // If an event source publishes more than one type of log or events (e.g. + // access log, error log), the dataset is used to specify which one the + // event comes from. + // It's recommended but not required to start the dataset name with the + // module name, followed by a dot, then the dataset name. Dataset string `ecs:"dataset"` + // Source of the event. + // Event transports such as Syslog or the Windows Event Log typically + // mention the source of an event. It can be the name of the software that + // generated the event (e.g. Sysmon, httpd), or of a subsystem of the + // operating system (kernel, Microsoft-Windows-Security-Auditing). + Provider string `ecs:"provider"` + // Severity describes the original severity of the event. What the // different severity values mean can very different between use cases. // It's up to the implementer to make sure severities are consistent across @@ -100,6 +117,12 @@ type Event struct { // difference between the end and start time. Duration time.Duration `ecs:"duration"` + // Sequence number of the event. + // The sequence number is a value published by some event sources, to make + // the exact ordering of events unambiguous, regarless of the timestamp + // precision. + Sequence int64 `ecs:"sequence"` + // This field should be populated when the event's timestamp does not // include timezone information already (e.g. default Syslog timestamps). // It's optional otherwise. diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/file.go b/vendor/github.com/elastic/ecs/code/go/ecs/file.go index 8b3dfc8a58e..0ea31294e61 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/file.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/file.go @@ -30,14 +30,19 @@ import ( // services). File fields provide details about the affected file associated // with the event or metric. type File struct { - // Path to the file. + // Name of the file including the extension, without the directory. + Name string `ecs:"name"` + + // Directory where the file is located. + Directory string `ecs:"directory"` + + // Full path to the file. Path string `ecs:"path"` // Target path for symlinks. TargetPath string `ecs:"target_path"` // File extension. - // This should allow easy filtering by file extensions. Extension string `ecs:"extension"` // File type (file, dir, or symlink). @@ -64,12 +69,24 @@ type File struct { // Mode of the file in octal representation. Mode string `ecs:"mode"` - // File size in bytes (field is only added when `type` is `file`). + // File size in bytes. + // Only relevant when `file.type` is "file". Size int64 `ecs:"size"` - // Last time file content was modified. + // Last time the file content was modified. Mtime time.Time `ecs:"mtime"` - // Last time file metadata changed. + // Last time the file attributes or metadata changed. + // Note that changes to the file content will update `mtime`. This implies + // `ctime` will be adjusted at the same time, since `mtime` is an attribute + // of the file. Ctime time.Time `ecs:"ctime"` + + // File creation time. + // Note that not all filesystems store the creation time. + Created time.Time `ecs:"created"` + + // Last time the file was accessed. + // Note that not all filesystems keep track of access time. + Accessed time.Time `ecs:"accessed"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/hash.go b/vendor/github.com/elastic/ecs/code/go/ecs/hash.go new file mode 100644 index 00000000000..070b4256cc0 --- /dev/null +++ b/vendor/github.com/elastic/ecs/code/go/ecs/hash.go @@ -0,0 +1,38 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// The hash fields represent different hash algorithms and their values. +// Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields +// for other hashes by lowercasing the hash algorithm name and using underscore +// separators as appropriate (snake case, e.g. sha3_512). +type Hash struct { + // MD5 hash. + Md5 string `ecs:"md5"` + + // SHA1 hash. + Sha1 string `ecs:"sha1"` + + // SHA256 hash. + Sha256 string `ecs:"sha256"` + + // SHA512 hash. + Sha512 string `ecs:"sha512"` +} diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/host.go b/vendor/github.com/elastic/ecs/code/go/ecs/host.go index 6d652bf9e6b..c002e7dd681 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/host.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/host.go @@ -53,6 +53,9 @@ type Host struct { // meaningful in your environment. Type string `ecs:"type"` + // Seconds the host has been up. + Uptime int64 `ecs:"uptime"` + // Operating system architecture. Architecture string `ecs:"architecture"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/log.go b/vendor/github.com/elastic/ecs/code/go/ecs/log.go index 11f3ab8febc..492319a8b86 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/log.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/log.go @@ -34,4 +34,8 @@ type Log struct { // This field is not indexed and doc_values are disabled so it can't be // queried but the value can be retrieved from `_source`. Original string `ecs:"original"` + + // The name of the logger inside an application. This is usually the name + // of the class which initialized the logger, or can be a custom name. + Logger string `ecs:"logger"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/process.go b/vendor/github.com/elastic/ecs/code/go/ecs/process.go index 96bcabe053e..7ce0851a3ec 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/process.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/process.go @@ -38,6 +38,9 @@ type Process struct { // Parent process' pid. PPID int64 `ecs:"ppid"` + // Identifier of the group of processes the process belongs to. + PGID int64 `ecs:"pgid"` + // Array of process arguments. // May be filtered to protect sensitive information. Args []string `ecs:"args"` @@ -54,9 +57,15 @@ type Process struct { // Thread ID. ThreadID int64 `ecs:"thread.id"` + // Thread name. + ThreadName string `ecs:"thread.name"` + // The time the process started. Start time.Time `ecs:"start"` + // Seconds the process has been up. + Uptime int64 `ecs:"uptime"` + // The working directory of the process. WorkingDirectory string `ecs:"working_directory"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/server.go b/vendor/github.com/elastic/ecs/code/go/ecs/server.go index ca81c34ceba..5b4b25db6a3 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/server.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/server.go @@ -58,4 +58,14 @@ type Server struct { // Packets sent from the server to the client. Packets int64 `ecs:"packets"` + + // Translated ip of destination based NAT sessions (e.g. internet to + // private DMZ) + // Typically used with load balancers, firewalls, or routers. + NatIP string `ecs:"nat.ip"` + + // Translated port of destination based NAT sessions (e.g. internet to + // private DMZ) + // Typically used with load balancers, firewalls, or routers. + NatPort int64 `ecs:"nat.port"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/service.go b/vendor/github.com/elastic/ecs/code/go/ecs/service.go index 2e70e0906e4..df93fb1df65 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/service.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/service.go @@ -24,11 +24,13 @@ package ecs // These fields help you find and correlate logs for a specific service and // version. type Service struct { - // Unique identifier of the running service. - // This id should uniquely identify this service. This makes it possible to - // correlate logs and metrics for one specific service. - // Example: If you are experiencing issues with one redis instance, you can - // filter on that id to see metrics and logs for that single instance. + // Unique identifier of the running service. If the service is comprised of + // many nodes, the `service.id` should be the same for all nodes. + // This id should uniquely identify the service. This makes it possible to + // correlate logs and metrics for one specific service, no matter which + // particular node emitted the event. + // Note that if you need to see the events from one specific host of the + // service, you should filter on that `host.name` or `host.id` instead. ID string `ecs:"id"` // Name of the service data is collected from. diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/source.go b/vendor/github.com/elastic/ecs/code/go/ecs/source.go index fd3ea5dd8f9..34cbeb81916 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/source.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/source.go @@ -47,4 +47,14 @@ type Source struct { // Packets sent from the source to the destination. Packets int64 `ecs:"packets"` + + // Translated ip of source based NAT sessions (e.g. internal client to + // internet) + // Typically connections traversing load balancers, firewalls, or routers. + NatIP string `ecs:"nat.ip"` + + // Translated port of source based NAT sessions. (e.g. internal client to + // internet) + // Typically used with load balancers, firewalls, or routers. + NatPort int64 `ecs:"nat.port"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/tracing.go b/vendor/github.com/elastic/ecs/code/go/ecs/tracing.go new file mode 100644 index 00000000000..7d5435c44d7 --- /dev/null +++ b/vendor/github.com/elastic/ecs/code/go/ecs/tracing.go @@ -0,0 +1,37 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// Distributed tracing makes it possible to analyze performance throughout a +// microservice architecture all in one view. This is accomplished by tracing +// all of the requests - from the initial web request in the front-end service +// - to queries made through multiple back-end services. +type Tracing struct { + // Unique identifier of the trace. + // A trace groups multiple events like transactions that belong together. + // For example, a user request handled by multiple inter-connected + // services. + TraceID string `ecs:"trace.id"` + + // Unique identifier of the transaction. + // A transaction is the highest level of work measured within a service, + // such as a request to a server. + TransactionID string `ecs:"transaction.id"` +} diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/user.go b/vendor/github.com/elastic/ecs/code/go/ecs/user.go index 411a0700385..e80effb7710 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/user.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/user.go @@ -40,4 +40,8 @@ type User struct { // Useful if `user.id` or `user.name` contain confidential information and // cannot be used. Hash string `ecs:"hash"` + + // Name of the directory the user is a member of. + // For example, an LDAP or Active Directory domain name. + Domain string `ecs:"domain"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/version.go b/vendor/github.com/elastic/ecs/code/go/ecs/version.go index c951aae1354..981ba9c97cb 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/version.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/version.go @@ -20,4 +20,4 @@ package ecs // Version is the Elastic Common Schema version from which this was generated. -const Version = "1.0.1" +const Version = "1.1.0" diff --git a/vendor/vendor.json b/vendor/vendor.json index aa8b29cf12d..65290f5ce30 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -932,12 +932,12 @@ "revisionTime": "2016-08-05T00:47:13Z" }, { - "checksumSHA1": "rXP3Wn/PiAk8DQLcy9Bjz7wT7Po=", + "checksumSHA1": "iFJq2WHNE7dIM4+7yOflAahyk0Q=", "path": "github.com/elastic/ecs/code/go/ecs", - "revision": "ab5e966864a6e2d4bc9fd6e2343e8d7f05f648fb", - "revisionTime": "2019-05-24T17:14:36Z", - "version": "v1.0.1", - "versionExact": "v1.0.1" + "revision": "cc1d96bf3f70a8e6af1e436a0283ef22b6af3dd2", + "revisionTime": "2019-08-22T17:44:49Z", + "version": "v1.1.0", + "versionExact": "v1.1.0" }, { "checksumSHA1": "vNnw1bUS8Ct+8H64QuA2DWRJ9SQ=", diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index 3bdd2d9bd04..fefc60f8c86 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -366,6 +366,34 @@ example: 6.0.0-rc2 -- +[float] +=== as + +An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. + + +*`as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + [float] === client @@ -384,6 +412,28 @@ type: keyword -- +*`client.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`client.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`client.bytes`*:: + -- @@ -515,6 +565,28 @@ type: keyword -- +*`client.nat.ip`*:: ++ +-- +Translated IP of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`client.nat.port`*:: ++ +-- +Translated port of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`client.packets`*:: + -- @@ -537,6 +609,16 @@ format: string -- +*`client.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`client.user.email`*:: + -- @@ -767,6 +849,28 @@ type: keyword -- +*`destination.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`destination.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`destination.bytes`*:: + -- @@ -898,6 +1002,28 @@ type: keyword -- +*`destination.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`destination.nat.port`*:: ++ +-- +Port the source session is translated to by NAT Device. +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`destination.packets`*:: + -- @@ -920,6 +1046,16 @@ format: string -- +*`destination.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`destination.user.email`*:: + -- @@ -988,6 +1124,198 @@ example: albert -- +[float] +=== dns + +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). + + +*`dns.answers`*:: ++ +-- +An array containing an object for each answer section returned by the server. +The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. +Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + +type: object + +-- + +*`dns.answers.class`*:: ++ +-- +The class of DNS data contained in this resource record. + +type: keyword + +example: IN + +-- + +*`dns.answers.data`*:: ++ +-- +The data describing the resource. +The meaning of this data depends on the type and class of the resource record. + +type: keyword + +example: 10.10.10.10 + +-- + +*`dns.answers.name`*:: ++ +-- +The domain name to which this resource record pertains. +If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + +type: keyword + +example: www.google.com + +-- + +*`dns.answers.ttl`*:: ++ +-- +The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + +type: long + +example: 180 + +-- + +*`dns.answers.type`*:: ++ +-- +The type of data contained in this resource record. + +type: keyword + +example: CNAME + +-- + +*`dns.header_flags`*:: ++ +-- +Array of 2 letter DNS header flags. +Expected values are: AA, TC, RD, RA, AD, CD, DO. + +type: keyword + +example: ['RD', 'RA'] + +-- + +*`dns.id`*:: ++ +-- +The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + +type: keyword + +example: 62111 + +-- + +*`dns.op_code`*:: ++ +-- +The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + +type: keyword + +example: QUERY + +-- + +*`dns.question.class`*:: ++ +-- +The class of of records being queried. + +type: keyword + +example: IN + +-- + +*`dns.question.name`*:: ++ +-- +The name being queried. +If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + +type: keyword + +example: www.google.com + +-- + +*`dns.question.registered_domain`*:: ++ +-- +The highest registered domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`dns.question.type`*:: ++ +-- +The type of record being queried. + +type: keyword + +example: AAAA + +-- + +*`dns.resolved_ip`*:: ++ +-- +Array containing all IPs seen in `answers.data`. +The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + +type: ip + +example: ['10.10.10.10', '10.10.10.11'] + +-- + +*`dns.response_code`*:: ++ +-- +The DNS response code. + +type: keyword + +example: NOERROR + +-- + +*`dns.type`*:: ++ +-- +The type of DNS event captured, query or answer. +If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. +If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + +type: keyword + +example: answer + +-- + [float] === ecs @@ -1073,6 +1401,18 @@ example: user-management -- +*`event.code`*:: ++ +-- +Identification code for this event, if one exists. +Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + +type: keyword + +example: 4648 + +-- + *`event.created`*:: + -- @@ -1089,11 +1429,12 @@ type: date + -- Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. +It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword -example: stats +example: apache.access -- @@ -1156,11 +1497,11 @@ example: state + -- Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. +If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. type: keyword -example: mysql +example: apache -- @@ -1188,6 +1529,18 @@ example: success -- +*`event.provider`*:: ++ +-- +Source of the event. +Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + +type: keyword + +example: kernel + +-- + *`event.risk_score`*:: + -- @@ -1207,6 +1560,18 @@ type: float -- +*`event.sequence`*:: ++ +-- +Sequence number of the event. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. + +type: long + +format: string + +-- + *`event.severity`*:: + -- @@ -1249,56 +1614,129 @@ type: keyword -- -[float] -=== file +[float] +=== file + +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. + + +*`file.accessed`*:: ++ +-- +Last time the file was accessed. +Note that not all filesystems keep track of access time. + +type: date + +-- + +*`file.created`*:: ++ +-- +File creation time. +Note that not all filesystems store the creation time. + +type: date + +-- + +*`file.ctime`*:: ++ +-- +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + +type: date + +-- + +*`file.device`*:: ++ +-- +Device that is the source of the file. + +type: keyword + +example: sda + +-- + +*`file.directory`*:: ++ +-- +Directory where the file is located. + +type: keyword + +example: /home/alice + +-- + +*`file.extension`*:: ++ +-- +File extension. + +type: keyword + +example: png + +-- + +*`file.gid`*:: ++ +-- +Primary group ID (GID) of the file. + +type: keyword -A file is defined as a set of information that has been created on, or has existed on a filesystem. -File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +example: 1001 +-- -*`file.ctime`*:: +*`file.group`*:: + -- -Last time file metadata changed. +Primary group name of the file. -type: date +type: keyword + +example: alice -- -*`file.device`*:: +*`file.hash.md5`*:: + -- -Device that is the source of the file. +MD5 hash. type: keyword -- -*`file.extension`*:: +*`file.hash.sha1`*:: + -- -File extension. -This should allow easy filtering by file extensions. +SHA1 hash. type: keyword -example: png - -- -*`file.gid`*:: +*`file.hash.sha256`*:: + -- -Primary group ID (GID) of the file. +SHA256 hash. type: keyword -- -*`file.group`*:: +*`file.hash.sha512`*:: + -- -Primary group name of the file. +SHA512 hash. type: keyword @@ -1311,6 +1749,8 @@ Inode representing the file in the filesystem. type: keyword +example: 256383 + -- *`file.mode`*:: @@ -1320,19 +1760,30 @@ Mode of the file in octal representation. type: keyword -example: 416 +example: 0640 -- *`file.mtime`*:: + -- -Last time file content was modified. +Last time the file content was modified. type: date -- +*`file.name`*:: ++ +-- +Name of the file including the extension, without the directory. + +type: keyword + +example: example.png + +-- + *`file.owner`*:: + -- @@ -1340,24 +1791,31 @@ File owner's username. type: keyword +example: alice + -- *`file.path`*:: + -- -Path to the file. +Full path to the file. type: keyword +example: /home/alice/example.png + -- *`file.size`*:: + -- -File size in bytes (field is only added when `type` is `file`). +File size in bytes. +Only relevant when `file.type` is "file". type: long +example: 16384 + -- *`file.target_path`*:: @@ -1376,6 +1834,8 @@ File type (file, dir, or symlink). type: keyword +example: file + -- *`file.uid`*:: @@ -1385,6 +1845,8 @@ The user ID (UID) or security identifier (SID) of the file owner. type: keyword +example: 1001 + -- [float] @@ -1508,6 +1970,49 @@ type: keyword -- +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + [float] === host @@ -1741,6 +2246,27 @@ type: keyword -- +*`host.uptime`*:: ++ +-- +Seconds the host has been up. + +type: long + +example: 1325 + +-- + +*`host.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`host.user.email`*:: + -- @@ -1954,6 +2480,17 @@ example: err -- +*`log.logger`*:: ++ +-- +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + +type: keyword + +example: org.elasticsearch.bootstrap.Bootstrap + +-- + *`log.original`*:: + -- @@ -2469,6 +3006,42 @@ example: /usr/bin/ssh -- +*`process.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.name`*:: + -- @@ -2481,6 +3054,17 @@ example: ssh -- +*`process.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + *`process.pid`*:: + -- @@ -2531,6 +3115,17 @@ format: string -- +*`process.thread.name`*:: ++ +-- +Thread name. + +type: keyword + +example: thread-0 + +-- + *`process.title`*:: + -- @@ -2541,6 +3136,17 @@ type: keyword -- +*`process.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + *`process.working_directory`*:: + -- @@ -2587,6 +3193,28 @@ type: keyword -- +*`server.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`server.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`server.bytes`*:: + -- @@ -2718,6 +3346,28 @@ type: keyword -- +*`server.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`server.nat.port`*:: ++ +-- +Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`server.packets`*:: + -- @@ -2740,6 +3390,16 @@ format: string -- +*`server.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`server.user.email`*:: + -- @@ -2830,9 +3490,9 @@ example: 8a4f500f *`service.id`*:: + -- -Unique identifier of the running service. -This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. -Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance. +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. type: keyword @@ -2905,6 +3565,28 @@ type: keyword -- +*`source.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`source.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`source.bytes`*:: + -- @@ -3036,6 +3718,28 @@ type: keyword -- +*`source.nat.ip`*:: ++ +-- +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`source.nat.port`*:: ++ +-- +Translated port of source based NAT sessions. (e.g. internal client to internet) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`source.packets`*:: + -- @@ -3058,6 +3762,16 @@ format: string -- +*`source.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`source.user.email`*:: + -- @@ -3126,6 +3840,36 @@ example: albert -- +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + [float] === url @@ -3247,6 +3991,16 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +*`user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`user.email`*:: + -- diff --git a/winlogbeat/include/fields.go b/winlogbeat/include/fields.go index 39b4e0f3149..d370d827889 100644 --- a/winlogbeat/include/fields.go +++ b/winlogbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetBuildFieldsFieldsCommonYml returns asset data. // This is the base64 encoded gzipped contents of build/fields/fields.common.yml. func AssetBuildFieldsFieldsCommonYml() string { - return "" + return "" } diff --git a/x-pack/functionbeat/docs/fields.asciidoc b/x-pack/functionbeat/docs/fields.asciidoc index 342a28f3ea2..0a528e60595 100644 --- a/x-pack/functionbeat/docs/fields.asciidoc +++ b/x-pack/functionbeat/docs/fields.asciidoc @@ -363,6 +363,34 @@ example: 6.0.0-rc2 -- +[float] +=== as + +An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. + + +*`as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + [float] === client @@ -381,6 +409,28 @@ type: keyword -- +*`client.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`client.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`client.bytes`*:: + -- @@ -512,6 +562,28 @@ type: keyword -- +*`client.nat.ip`*:: ++ +-- +Translated IP of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`client.nat.port`*:: ++ +-- +Translated port of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`client.packets`*:: + -- @@ -534,6 +606,16 @@ format: string -- +*`client.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`client.user.email`*:: + -- @@ -764,6 +846,28 @@ type: keyword -- +*`destination.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`destination.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`destination.bytes`*:: + -- @@ -895,6 +999,28 @@ type: keyword -- +*`destination.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`destination.nat.port`*:: ++ +-- +Port the source session is translated to by NAT Device. +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`destination.packets`*:: + -- @@ -917,6 +1043,16 @@ format: string -- +*`destination.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`destination.user.email`*:: + -- @@ -985,6 +1121,198 @@ example: albert -- +[float] +=== dns + +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). + + +*`dns.answers`*:: ++ +-- +An array containing an object for each answer section returned by the server. +The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. +Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + +type: object + +-- + +*`dns.answers.class`*:: ++ +-- +The class of DNS data contained in this resource record. + +type: keyword + +example: IN + +-- + +*`dns.answers.data`*:: ++ +-- +The data describing the resource. +The meaning of this data depends on the type and class of the resource record. + +type: keyword + +example: 10.10.10.10 + +-- + +*`dns.answers.name`*:: ++ +-- +The domain name to which this resource record pertains. +If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + +type: keyword + +example: www.google.com + +-- + +*`dns.answers.ttl`*:: ++ +-- +The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + +type: long + +example: 180 + +-- + +*`dns.answers.type`*:: ++ +-- +The type of data contained in this resource record. + +type: keyword + +example: CNAME + +-- + +*`dns.header_flags`*:: ++ +-- +Array of 2 letter DNS header flags. +Expected values are: AA, TC, RD, RA, AD, CD, DO. + +type: keyword + +example: ['RD', 'RA'] + +-- + +*`dns.id`*:: ++ +-- +The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + +type: keyword + +example: 62111 + +-- + +*`dns.op_code`*:: ++ +-- +The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + +type: keyword + +example: QUERY + +-- + +*`dns.question.class`*:: ++ +-- +The class of of records being queried. + +type: keyword + +example: IN + +-- + +*`dns.question.name`*:: ++ +-- +The name being queried. +If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + +type: keyword + +example: www.google.com + +-- + +*`dns.question.registered_domain`*:: ++ +-- +The highest registered domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`dns.question.type`*:: ++ +-- +The type of record being queried. + +type: keyword + +example: AAAA + +-- + +*`dns.resolved_ip`*:: ++ +-- +Array containing all IPs seen in `answers.data`. +The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + +type: ip + +example: ['10.10.10.10', '10.10.10.11'] + +-- + +*`dns.response_code`*:: ++ +-- +The DNS response code. + +type: keyword + +example: NOERROR + +-- + +*`dns.type`*:: ++ +-- +The type of DNS event captured, query or answer. +If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. +If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + +type: keyword + +example: answer + +-- + [float] === ecs @@ -1070,6 +1398,18 @@ example: user-management -- +*`event.code`*:: ++ +-- +Identification code for this event, if one exists. +Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + +type: keyword + +example: 4648 + +-- + *`event.created`*:: + -- @@ -1086,11 +1426,12 @@ type: date + -- Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. +It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword -example: stats +example: apache.access -- @@ -1153,11 +1494,11 @@ example: state + -- Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. +If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. type: keyword -example: mysql +example: apache -- @@ -1185,6 +1526,18 @@ example: success -- +*`event.provider`*:: ++ +-- +Source of the event. +Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + +type: keyword + +example: kernel + +-- + *`event.risk_score`*:: + -- @@ -1204,6 +1557,18 @@ type: float -- +*`event.sequence`*:: ++ +-- +Sequence number of the event. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. + +type: long + +format: string + +-- + *`event.severity`*:: + -- @@ -1242,60 +1607,133 @@ type: keyword Reserved for future usage. Please avoid using this field for user data. -type: keyword +type: keyword + +-- + +[float] +=== file + +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. + + +*`file.accessed`*:: ++ +-- +Last time the file was accessed. +Note that not all filesystems keep track of access time. + +type: date + +-- + +*`file.created`*:: ++ +-- +File creation time. +Note that not all filesystems store the creation time. + +type: date + +-- + +*`file.ctime`*:: ++ +-- +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + +type: date + +-- + +*`file.device`*:: ++ +-- +Device that is the source of the file. + +type: keyword + +example: sda + +-- + +*`file.directory`*:: ++ +-- +Directory where the file is located. + +type: keyword + +example: /home/alice + +-- + +*`file.extension`*:: ++ +-- +File extension. + +type: keyword + +example: png + +-- +*`file.gid`*:: ++ -- +Primary group ID (GID) of the file. -[float] -=== file +type: keyword -A file is defined as a set of information that has been created on, or has existed on a filesystem. -File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +example: 1001 +-- -*`file.ctime`*:: +*`file.group`*:: + -- -Last time file metadata changed. +Primary group name of the file. -type: date +type: keyword + +example: alice -- -*`file.device`*:: +*`file.hash.md5`*:: + -- -Device that is the source of the file. +MD5 hash. type: keyword -- -*`file.extension`*:: +*`file.hash.sha1`*:: + -- -File extension. -This should allow easy filtering by file extensions. +SHA1 hash. type: keyword -example: png - -- -*`file.gid`*:: +*`file.hash.sha256`*:: + -- -Primary group ID (GID) of the file. +SHA256 hash. type: keyword -- -*`file.group`*:: +*`file.hash.sha512`*:: + -- -Primary group name of the file. +SHA512 hash. type: keyword @@ -1308,6 +1746,8 @@ Inode representing the file in the filesystem. type: keyword +example: 256383 + -- *`file.mode`*:: @@ -1317,19 +1757,30 @@ Mode of the file in octal representation. type: keyword -example: 416 +example: 0640 -- *`file.mtime`*:: + -- -Last time file content was modified. +Last time the file content was modified. type: date -- +*`file.name`*:: ++ +-- +Name of the file including the extension, without the directory. + +type: keyword + +example: example.png + +-- + *`file.owner`*:: + -- @@ -1337,24 +1788,31 @@ File owner's username. type: keyword +example: alice + -- *`file.path`*:: + -- -Path to the file. +Full path to the file. type: keyword +example: /home/alice/example.png + -- *`file.size`*:: + -- -File size in bytes (field is only added when `type` is `file`). +File size in bytes. +Only relevant when `file.type` is "file". type: long +example: 16384 + -- *`file.target_path`*:: @@ -1373,6 +1831,8 @@ File type (file, dir, or symlink). type: keyword +example: file + -- *`file.uid`*:: @@ -1382,6 +1842,8 @@ The user ID (UID) or security identifier (SID) of the file owner. type: keyword +example: 1001 + -- [float] @@ -1505,6 +1967,49 @@ type: keyword -- +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + [float] === host @@ -1738,6 +2243,27 @@ type: keyword -- +*`host.uptime`*:: ++ +-- +Seconds the host has been up. + +type: long + +example: 1325 + +-- + +*`host.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`host.user.email`*:: + -- @@ -1951,6 +2477,17 @@ example: err -- +*`log.logger`*:: ++ +-- +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + +type: keyword + +example: org.elasticsearch.bootstrap.Bootstrap + +-- + *`log.original`*:: + -- @@ -2466,6 +3003,42 @@ example: /usr/bin/ssh -- +*`process.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.name`*:: + -- @@ -2478,6 +3051,17 @@ example: ssh -- +*`process.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + *`process.pid`*:: + -- @@ -2528,6 +3112,17 @@ format: string -- +*`process.thread.name`*:: ++ +-- +Thread name. + +type: keyword + +example: thread-0 + +-- + *`process.title`*:: + -- @@ -2538,6 +3133,17 @@ type: keyword -- +*`process.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + *`process.working_directory`*:: + -- @@ -2584,6 +3190,28 @@ type: keyword -- +*`server.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`server.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`server.bytes`*:: + -- @@ -2715,6 +3343,28 @@ type: keyword -- +*`server.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`server.nat.port`*:: ++ +-- +Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`server.packets`*:: + -- @@ -2737,6 +3387,16 @@ format: string -- +*`server.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`server.user.email`*:: + -- @@ -2827,9 +3487,9 @@ example: 8a4f500f *`service.id`*:: + -- -Unique identifier of the running service. -This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. -Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance. +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. type: keyword @@ -2902,6 +3562,28 @@ type: keyword -- +*`source.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`source.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + *`source.bytes`*:: + -- @@ -3033,6 +3715,28 @@ type: keyword -- +*`source.nat.ip`*:: ++ +-- +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`source.nat.port`*:: ++ +-- +Translated port of source based NAT sessions. (e.g. internal client to internet) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + *`source.packets`*:: + -- @@ -3055,6 +3759,16 @@ format: string -- +*`source.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`source.user.email`*:: + -- @@ -3123,6 +3837,36 @@ example: albert -- +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + [float] === url @@ -3244,6 +3988,16 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +*`user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + *`user.email`*:: + -- diff --git a/x-pack/functionbeat/include/fields.go b/x-pack/functionbeat/include/fields.go index e0271504e1f..6dc69a7c23b 100644 --- a/x-pack/functionbeat/include/fields.go +++ b/x-pack/functionbeat/include/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" }