Elastic Endpoint Package

[jonathan-buttner]

This PR adds the elastic endpoint package that has datasets for events and metadata and the fields.yml for both.

I created the security category.

If we want a index pattern created for events-* we'll need to merge this PR as well: elastic/kibana#58908

[ruflin]

For the categories: I guess we will only have security or endpoint? I would suggest to go for now with "Security". Are the events you are shipping now ending up under endpoint-* or event-*?

[jonathan-buttner]

For the categories: I guess we will only have security or endpoint? I would suggest to go for now with "Security".

Sounds good! I'll switch it to Security

Are the events you are shipping now ending up under endpoint-* or event-*?

I think we're going to go with event-*

[ruflin]

Same comment as above for the path.

[ruflin]

I remember also a discussion around endpoint only using one index? But having 2 datasets would mean 2 indices?

[jonathan-buttner]

Gotcha I'll change the dataset name.

So there will be one index for events and alerts (events) and then another index for the metadata of an endpoint for now.

[ruflin]

Got it, then this makes sense.

This raises the question how the metadata index will be called. events-endpoint.metadata-*? If yes, the name here is correct.

[jonathan-buttner]

So this one will actually be metrics-endpoint.metadata-* (the type is metrics, this is information about endpoints and their status etc) Do you think endpoint.metadata is reasonable name? I figured metrics-metadata wasn't super clear on what it was referring to, that's why I add the endpoint in there.

If we still with endpoint.metadata would it be better to be consistent in the dataset directory and leave the events one as endpoint.events?

[ruflin]

Agree that we can't really use metrics-metadata as this is too generic and not clear it would belong to endpoint.

By default we will have that the dataset id = {package.name}.{directory.name}. So in the nginx case we have access, error and stubstatus directories. The problem above is that you only have events-endpoint which means the above does not work as the package is already endpoint. You will have to set id in any case. I would probably call the directory è
events, and the other one metadata.

[jonathan-buttner]

Ah ok I see. I'll rename the directories and set the id field. Should I rebase off of #176 ?

[ruflin]

I suggest lets get this in as is and then adjust it again as soon as #176 lands.

[jonathan-buttner]

Ok sounds good, I moved the datasets to events and metadata. I'm good to merge. @james-elastic could I get a 👍

[ruflin]

I created #228 to also have a base template in place for events-*. Should not affect this PR but thought worth to mention here.

[aleksmaus]

LGTM