Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement ECS-Compatibility Mode #163

Closed
yaauie opened this issue Feb 26, 2020 · 3 comments · Fixed by #179
Closed

Implement ECS-Compatibility Mode #163

yaauie opened this issue Feb 26, 2020 · 3 comments · Fixed by #179

Comments

@yaauie
Copy link
Contributor

yaauie commented Feb 26, 2020

As a part of the effort to make plugins able to run in an ECS-Compatible manner
by default in an upcoming release of Logstash, this plugin needs to implement
an ECS-Compatibility mode that does not implicitly use fields that conflict
with ECS.

Absent target directive, this plugin uses root-level field geoip,
which is undefined in ECS and therefore has the possiblity of conflicting
with future versions of ECS. The plugin may benefit from an ECS-Compatibility
mode that requires the target to be set explicitly, by using the ECS-compatible
root-level geo object
(edit: "the geo fields are not expected to be used
directly at the top level."
), or otherwise reduces the risk of future conflict.

Additional analysis will need to be made to ensure the resulting object is also compatible with the geo field type in ECS.

@kares
Copy link
Contributor

kares commented Feb 27, 2020

Plugin will need to be aligned with ES output (default template for geoip: ... needs to be adjusted)

@yaauie
Copy link
Contributor Author

yaauie commented Feb 27, 2020

DB Field Name ECS Equivalent Subfield Name
asn [as][number]
as_org [as][organization][name]
city_name [geo][city_name]
country_name [geo][country_name]
continent_code N/A
continent_name [geo][continent_name]
country_code2 [geo][country_iso_code]
country_code3 * alias for country_code2
ip * the ip used for lookup
isp N/A
postal_code N/A
dma_code N/A
region_name [geo][region_name]
region_code [geo][region_iso_code]* (breaking: legacy WA -> ecs US-WA)
timezone N/A
location * alias for latitude & longitude
latitude [geo][location][lat]
longitude [geo][location][lon]
organization N/A
it depends [geo][name]

@jeffrysleddens
Copy link

asn and as_org map to the autonomous systems fields (https://www.elastic.co/guide/en/ecs/current/ecs-as.html) as.number and as.organization.name respectivly

kaisecheng added a commit that referenced this issue Mar 25, 2021
Add ECS support
* skip country_code3
* auto set `target` from `source`

Fixed: #163

Co-authored-by: Ry Biesemeyer <ry.biesemeyer@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants