Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update TLS protocol to use ECS fields #9980

Merged
merged 2 commits into from
Jan 14, 2019
Merged

Update TLS protocol to use ECS fields #9980

merged 2 commits into from
Jan 14, 2019

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Jan 10, 2019
edited
Loading

NOTE: This is based on another open PR so please only review the last commit

That dashboards were updated too. There weren't many changes needed w.r.t. fields
but I did update the visualizations and saved searches to include [Packetbeat] in their
names.

I added a python test case for TLS and discovered a few fields that were not documented
so I updated the fields docs accordingly.

Here's a summary of what fields changed.

Part of #7968

Changed

  • responsetime -> event.duration (unit are now nanoseconds)

Added

  • event.dataset = tls
  • event.end
  • event.start
  • network.community_id
  • network.protocol = tls
  • network.type
  • source.domain (added if there's a SNI value)

Unchanged Packetbeat Fields

  • status
  • type = http (we might remove this since we have event.dataset)

@andrewkroh andrewkroh requested review from a team as code owners January 10, 2019 03:07
adriansr
adriansr approved these changes Jan 10, 2019
View reviewed changes
Copy link
Contributor

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the improvements and new tests!

packetbeat/_meta/kibana/6/dashboard/Packetbeat-tls.json Outdated
"enabled": true,
"id": "2",
"params": {
"exclude": "xxx-nope",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess I added this to the dashboard while creating it. Can you remove it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@andrewkroh
Update TLS protocol to use ECS fields
7d67c7c 
That dashboards were updated too. There weren't many changes needed w.r.t. fields
but I did update the visualizations and saved searches to include `[Packetbeat]` in their
names.

I added a python test case for TLS and discovered a few fields that were not documented
so I updated the fields docs accordingly.

Here's a summary of what fields changed.

Part of elastic#7968

Changed

- responsetime -> event.duration (unit are now nanoseconds)

Added

- event.dataset = tls
- event.end
- event.start
- network.community_id
- network.protocol = tls
- network.type
- source.domain (added if there's a SNI value)

Unchanged Packetbeat Fields

- status
- type = http (we might remove this since we have event.dataset)
@andrewkroh
Update TLS Session Resume to remove xxx-nope
e0c1a4f
@andrewkroh andrewkroh merged commit c956b80 into elastic:master Jan 14, 2019
@andrewkroh andrewkroh mentioned this pull request Jan 24, 2019
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adriansr adriansr adriansr approved these changes

Assignees
No one assigned
Labels
ecs Packetbeat review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andrewkroh @adriansr