Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Improve ECS field mappings in aws module #16307

Merged
merged 3 commits into from
Feb 21, 2020
Merged

[Filebeat] Improve ECS field mappings in aws module #16307

merged 3 commits into from
Feb 21, 2020

Conversation

leehinman
Copy link
Contributor

  • elb fileset

    • cloud.provider
    • event.category
    • event.kind
    • event.outcome
    • http.response.status_code, convert to long
    • http.request.method, lowercase
    • tracing.trace.id

  • s3access fileset

    • client.address
    • client.ip
    • geo
    • client.user.id
    • cloud.provider
    • event.action
    • event.code
    • event.duration
    • event.id
    • event.kind
    • event.outcome
    • http.request.referrer
    • http.response.status_code
    • related.user
    • user_agent

  • vpcflow fileset

    • cloud.provider
    • cloud.account.id
    • cloud.instance.id
    • event.kind

Closes #16154

What does this PR do?

Why is it important?

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

@leehinman leehinman added enhancement Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. Team:SIEM ecs labels Feb 13, 2020
@leehinman leehinman requested a review from a team as a code owner February 13, 2020 15:27
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@leehinman
Improve ECS field mappings in aws module
0539c3e 
- elb fileset
  + cloud.provider
  + event.category
  + event.kind
  + event.outcome
  + http.response.status_code, convert to long
  + http.request.method, lowercase
  + tracing.trace.id

- s3access fileset
  + client.address
  + client.ip
  + geo
  + client.user.id
  + cloud.provider
  + event.action
  + event.code
  + event.duration
  + event.id
  + event.kind
  + event.outcome
  + http.request.referrer
  + http.response.status_code
  + related.user
  + user_agent

- vpcflow fileset
  + cloud.provider
  + cloud.account.id
  + cloud.instance.id
  + event.kind

Closes elastic#16154
andrewkroh
andrewkroh reviewed Feb 13, 2020
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great to see the ECS progress.

x-pack/filebeat/module/aws/elb/ingest/pipeline.yml Outdated
value: network

- convert:
field: http.response.status_code
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be accomplished in the grok statement by adding :long like we have in %{NUMBER:http.request.body.bytes:long}.

Copy link
Member

@andrewkroh andrewkroh Feb 13, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general using the grok should also be safer, because if this fails with ignore_failure the data won't be indexed because of a mapping exception (assuming the field is mapped as a long).

It probably would never fail to convert here since the grok has it as a NUMBER, but it's something to keep in mind for other cases.

x-pack/filebeat/module/aws/elb/ingest/pipeline.yml Outdated
value: success

- set:
if: 'ctx?.http?.response?.status_code != null && ctx.http.response.status_code > 399'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a suggestion.

Suggested change
if: 'ctx?.http?.response?.status_code != null && ctx.http.response.status_code > 399'
if: 'ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400'

x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml

- set:
if: "ctx?.aws?.s3access?.remote_ip != null"
field: client.ip
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about related.ip too?

leehinman and others added 2 commits February 18, 2020 18:26
@leehinman
implement feedback
98ce21c 
- improve grok pattern to make status code a long
- make status code check more readable
- add remote_ip to related.ip
@leehinman
Merge branch 'master' into 16154_aws_ecs_1.4
6d805c3
@leehinman leehinman merged commit 913f7ee into elastic:master Feb 21, 2020
@leehinman leehinman deleted the 16154_aws_ecs_1.4 branch February 21, 2020 03:00
leehinman added a commit to leehinman/beats that referenced this pull request Feb 21, 2020
@leehinman
[Filebeat] Improve ECS field mappings in aws module (elastic#16307)
ad0098a 
* Improve ECS field mappings in aws module

- elb fileset
  + cloud.provider
  + event.category
  + event.kind
  + event.outcome
  + http.response.status_code, convert to long
  + http.request.method, lowercase
  + tracing.trace.id

- s3access fileset
  + client.address
  + client.ip
  + geo
  + client.user.id
  + cloud.provider
  + event.action
  + event.code
  + event.duration
  + event.id
  + event.kind
  + event.outcome
  + http.request.referrer
  + http.response.status_code
  + related.ip
  + related.user
  + user_agent

- vpcflow fileset
  + cloud.provider
  + cloud.account.id
  + cloud.instance.id
  + event.kind

Closes elastic#16154

(cherry picked from commit 913f7ee)
@leehinman leehinman mentioned this pull request Feb 21, 2020
Merged
5 tasks
@leehinman leehinman added v7.7.0 and removed needs_backport PR is waiting to be backported to other branches. labels Feb 21, 2020
leehinman added a commit that referenced this pull request Feb 21, 2020
@leehinman
[Filebeat] Improve ECS field mappings in aws module (#16307) (#16478)
595cc41 
* Improve ECS field mappings in aws module

- elb fileset
  + cloud.provider
  + event.category
  + event.kind
  + event.outcome
  + http.response.status_code, convert to long
  + http.request.method, lowercase
  + tracing.trace.id

- s3access fileset
  + client.address
  + client.ip
  + geo
  + client.user.id
  + cloud.provider
  + event.action
  + event.code
  + event.duration
  + event.id
  + event.kind
  + event.outcome
  + http.request.referrer
  + http.response.status_code
  + related.ip
  + related.user
  + user_agent

- vpcflow fileset
  + cloud.provider
  + cloud.account.id
  + cloud.instance.id
  + event.kind

Closes #16154

(cherry picked from commit 913f7ee)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
ecs enhancement Filebeat Filebeat v7.7.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Filebeat] Upgrade aws module to ECS 1.4
3 participants
@leehinman @elasticmachine @andrewkroh