[Packetbeat] Update DNS protocol to use ECS fields (#9941)

* Vendor github.com/elastic/ecs/code/go/ecs Update NOTICE * Update DNS protocol to use ECS fields This updates the DNS protocol to have more closely follow ECS. The DNS tunneling dashboard has been updated to work with the new field names. In order to better interoperate with other data sources the trailing dot has been removed from domain names. For example, previously Packetbeat would produce `dns.question.name:elastic.co.` and now it will simply produce `dns.question.name:elastic.co`. It's a breaking change but it will be make it easier to pivot with other data sources. Part of #7968 Here's a summary of what fields changed. Changed - bytes_in -> source.bytes - bytes_out -> destination.bytes - notes -> error.message - responsetime -> event.duration (unit are now nanoseconds) - transport -> network.transport Added - event.end - event.start - network.bytes - network.community_id - network.protocol = dns - network.transport = udp/tcp - network.type Unchanged Packetbeat Fields - method - dns opcode - query = class {{ dns.question.class }}, type {{ dns.question.type }}, {{ dns.question.name }} - request - text representation of the entire request - response - text representation of the entire response - resource - dns.question.name - status - type = dns (we might remove this since we have event.dataset) * Add packetbeat fields to ecs-migration.yml No aliases yet because these fields are still used. * Fix DNS overview dashboard There was an ID collision over the `DNS` ID. * Update dashboards.yml * Send zero value time.Duration With low resolution timers on Windows it's very possible that an event can have an event.duration=0 and we want to send that field when this occurs.
elastic · Jan 10, 2019 · 1887aff · 1887aff
1 parent 5d66781
commit 1887aff
Show file tree

Hide file tree

Showing 49 changed files with 4,039 additions and 1,153 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -41,6 +41,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Adjust Packetbeat `http` fields to ECS Beta 2 {pull}9645[9645]
   - `http.request.body` moves to `http.request.body.content`
   - `http.response.body` moves to `http.response.body.content`
+- Changed DNS protocol fields to align with ECS. {pull}9941[9941]
+- Removed trailing dot from domain names reported by the DNS protocol. {pull}9941[9941]
 
 *Winlogbeat*
 

diff --git a/NOTICE.txt b/NOTICE.txt
@@ -532,6 +532,30 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
+--------------------------------------------------------------------
+Dependency: github.com/elastic/ecs
+Revision: 69de90eb6493e0804405321f48adfdfa488d6498
+License type (autodetected): Apache-2.0
+./vendor/github.com/elastic/ecs/LICENSE.txt:
+--------------------------------------------------------------------
+Apache License 2.0
+
+-------NOTICE.txt-----
+Elastic Common Schema
+Copyright 2018 Elasticsearch B.V.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
 --------------------------------------------------------------------
 Dependency: github.com/elastic/go-libaudit
 Version: v0.4.0

diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml
@@ -636,3 +636,33 @@
   to: event.dataset
   alias: false
   comment: No alias mapping as field did not always exist
+
+# Packetbeat
+
+## Shared
+- from: bytes_in
+  to: source.bytes
+  alias: false
+  comment: Don't add an alias until all of Packetbeat stops using this field.
+
+- from: bytes_out
+  to: destination.bytes
+  alias: false
+  comment: Don't add an alias until all of Packetbeat stops using this field.
+
+- from: notes
+  to: error.message
+  alias: false
+  comment: Don't add an alias until all of Packetbeat stops using this field.
+
+- from: responsetime
+  to: event.duration
+  alias: false
+  comment: >
+    Units changed from usec to nsec. Don't add an alias until all of Packetbeat
+    stops using this field.
+
+- from: transport
+  to: network.transport
+  alias: false
+  comment: Don't add an alias until all of Packetbeat stops using this field.