Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Convert Packetbeat Flows to ECS #9121

Merged
merged 2 commits into from
Dec 12, 2018
Merged

Convert Packetbeat Flows to ECS #9121

merged 2 commits into from
Dec 12, 2018

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Nov 15, 2018
edited
Loading

The makes changes to the event format generated by Packetbeat's flow feature.

Sample Event

This is part of #7968.

Field Changes

  • type -> event.type
  • transport -> network.transport
  • flow_id -> flow.id
  • final -> flow.final
  • vlan -> flow.vlan [We might want this in ECS as network.vlan.]
  • start_time -> event.start
  • last_time -> event.end
  • source.stats.net_bytes_total -> source.bytes
  • source.stats.net_packets_total -> source.packets
  • dest.stats.net_bytes_total -> destination.bytes
  • dest.stats.net_packets_total -> destination.packets

Added

  • network.bytes
  • network.packets
  • event.duration

Frames with multiple levels of encapsulation like 802.1q with "Q-in-Q" will result in certain fields becoming an array with the outer most metadata being listed first (e.g. source.ip, destination.ip, flow.vlan).

Any dashboards associated with flows are not updated in this change.

@andrewkroh andrewkroh added in progress Pull request is currently in progress. review Packetbeat ecs labels Nov 15, 2018
@ruflin ruflin mentioned this pull request Nov 16, 2018
Closed
ruflin
ruflin reviewed Nov 19, 2018
View reviewed changes
Copy link
Member

@ruflin ruflin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you also update the ECS migration file?

packetbeat/_meta/fields.common.yml Outdated Show resolved Hide resolved
packetbeat/_meta/sample_outputs/flow.json
"start": "2018-11-15T14:41:21.000Z",
"type": "flow"
},
"flow": {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the flow prefix.

@ruflin
Copy link
Member

ruflin commented Nov 19, 2018

I wonder if we should have a second file besides ecs-migration.yml just called beats-migration.yml where we list all the fields that we migrated in Beats. This PR contains changes which are breaking but don't belong necessarily all in ecs-migration.yml.

@andrewkroh
Copy link
Member Author

This has been updated based on the proposed changes in elastic/ecs#179.

@andrewkroh andrewkroh mentioned this pull request Nov 21, 2018
Closed
9 tasks
@ruflin
Copy link
Member

ruflin commented Nov 23, 2018

@andrewkroh Should in your PR description above dest.stats.net_packets_total -> destination.bytes be destination.packets? Same for source.

@andrewkroh andrewkroh removed the in progress Pull request is currently in progress. label Nov 27, 2018
@andrewkroh
Copy link
Member Author

@andrewkroh Should in your PR description above dest.stats.net_packets_total -> destination.bytes be destination.packets? Same for source.

Good catch. I fixed it in the description and the commit message.

I squashed the existing commits and rebased on master.

ruflin
ruflin reviewed Nov 29, 2018
View reviewed changes
Copy link
Member

@ruflin ruflin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume this PR is not planned to be backported?

We should also discuss migration compatiblity of packetbeat to 7.0 /ECS.

libbeat/_meta/fields.ecs.yml Show resolved Hide resolved
libbeat/_meta/fields.ecs.yml Outdated Show resolved Hide resolved
@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

@andrewkroh andrewkroh mentioned this pull request Nov 30, 2018
Merged
@andrewkroh
Copy link
Member Author

I assume this PR is not planned to be backported?

@ruflin None of these fields changes are being back-ported.

@ruflin
Copy link
Member

ruflin commented Dec 3, 2018

@andrewkroh As the above migrated fields are all 1-1 mappings, should we introduce aliases for it in 6.x?

@andrewkroh
Copy link
Member Author

@ruflin Good idea. I'll added a checklist item to the parent issue for adding alias. I think it would make sense to look at the whole list of changes made for 7.0 then open a single PR to add all the alias we desire for Packetbeat to the 6.x branch.

@andrewkroh andrewkroh mentioned this pull request Dec 4, 2018
Merged
@andrewkroh
Update ECS fields
fe60901 
Updating schema to commit 349406f59e5c7c80a20c9f213370d2601b73f040.

Some fields were removed so I added placeholder fields with TODO statements. Those fields can be removed after modules using the fields are updated accordingly.
@andrewkroh
Convert Packetbeat Flows to ECS
9b8c4d7 
The makes changes to the event format generated by Packetbeat's flow feature.

Field Changes

- type -> event.type
- transport -> network.transport
- flow_id -> flow.id
- final -> flow.final
- vlan -> flow.vlan
- start_time -> event.start
- last_time -> event.end
- source.stats.net_bytes_total -> source.bytes
- source.stats.net_packets_total -> source.packets
- dest.stats.net_bytes_total -> destination.bytes
- dest.stats.net_packets_total -> destination.packets

Added
- network.bytes
- network.packets
- event.duration

Frames with multiple levels of encapsulation like 802.1q with "Q-in-Q" will result in certain fields becoming an array with the outer most metadata being listed first (e.g. source.ip, destination.ip, flow.vlan).

Any dashboards associated with flows are not updated in this change.

Part of elastic#7968.
@andrewkroh
Copy link
Member Author

@ruflin I rebased this since it’s been in existence for a while. Can you please take another look?

What changed?

  • Pulled in the latest copy of ECS. (first commit)
  • Any fields that were removed from ECS that we still used elsewhere were moved to the bottom of fields.ecs.yml with a comment.
  • Nothing changed on the Packetbeat side (the second commit).

ruflin
ruflin approved these changes Dec 11, 2018
View reviewed changes
Copy link
Member

@ruflin ruflin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. @webmat Perhaps you could also have a look?

packetbeat/tests/system/test_0060_flows.py
@@ -34,22 +34,22 @@ def test_mysql_flow(self):
pprint(objs)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this new pcap file just above (can't comment there)? Is that intentional in this PR?

libbeat/_meta/fields.ecs.yml
@@ -97,6 +118,125 @@
different values which are then freely searchable. If multiple
messages exist, they can be combined into one message.

- name: client
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not fully convinced we should add the full ecs fields yml to each Beat or only add the fields which are used by more then one Beat. We can still clean this up later.

@andrewkroh andrewkroh merged commit 66a9525 into elastic:master Dec 12, 2018
@andrewvc andrewvc mentioned this pull request Dec 12, 2018
Merged
@cwurm cwurm mentioned this pull request Dec 18, 2018
Closed
exekias
exekias reviewed Jan 9, 2019
View reviewed changes
libbeat/_meta/fields.ecs.yml
type: keyword
description: >
Unique ID to describe the event.
example: 8a4f500d
phase: 1

- name: kind
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this backport failed because kind is not present in 6.x: #9962, do you plan to backport this PR?

Alternatively, should I copy back this file to 6.x? cc @ruflin

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Packetbeat flow changes are not being back-ported to 6.x.

@andrewkroh andrewkroh mentioned this pull request Jan 15, 2019
Merged
DStape pushed a commit to DStape/beats that referenced this pull request Aug 20, 2019
@andrewkroh
Convert Packetbeat Flows to ECS (elastic#9121)
dbf034c 
* Update ECS fields

Updating schema to commit 349406f59e5c7c80a20c9f213370d2601b73f040.

Some fields were removed so I added placeholder fields with TODO statements. Those fields can be removed after modules using the fields are updated accordingly.

* Convert Packetbeat Flows to ECS

The makes changes to the event format generated by Packetbeat's flow feature.

Field Changes

- type -> event.type
- transport -> network.transport
- flow_id -> flow.id
- final -> flow.final
- vlan -> flow.vlan
- start_time -> event.start
- last_time -> event.end
- source.stats.net_bytes_total -> source.bytes
- source.stats.net_packets_total -> source.packets
- dest.stats.net_bytes_total -> destination.bytes
- dest.stats.net_packets_total -> destination.packets

Added
- network.bytes
- network.packets
- event.duration

Frames with multiple levels of encapsulation like 802.1q with "Q-in-Q" will result in certain fields becoming an array with the outer most metadata being listed first (e.g. source.ip, destination.ip, flow.vlan).

Any dashboards associated with flows are not updated in this change.

Part of elastic#7968.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@graphaelli graphaelli graphaelli left review comments

@exekias exekias exekias left review comments

@ruflin ruflin ruflin approved these changes

Assignees
No one assigned
Labels
ecs Packetbeat review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@andrewkroh @ruflin @elasticmachine @graphaelli @exekias