From 977c105936a0a2948b543183b233043f501c484b Mon Sep 17 00:00:00 2001
From: Austin Smith <76973609+asmith-elastic@users.noreply.github.com>
Date: Mon, 12 Sep 2022 14:58:05 -0700
Subject: [PATCH] Swap `source.bytes` and `destination.bytes` traffic log
 mappings (#32927)

* Swap `source.bytes` and `destination.bytes` traffic log mappings

This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`.

This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`.

Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`.

Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions.

This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`.

* Swap `source.bytes` and `destination.bytes` traffic log mappings

Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in https://github.com/elastic/beats/pull/18525

* Run make update

Co-authored-by: dedemorton <dede.morton@elastic.co>
---
 filebeat/docs/modules/panw.asciidoc             | 4 ++--
 x-pack/filebeat/module/panw/_meta/docs.asciidoc | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/filebeat/docs/modules/panw.asciidoc b/filebeat/docs/modules/panw.asciidoc
index df4dfea00962..9e87825c63d6 100644
--- a/filebeat/docs/modules/panw.asciidoc
+++ b/filebeat/docs/modules/panw.asciidoc
@@ -110,8 +110,8 @@ in ECS that are added under the `panw.panos` prefix:
 | Protocol | network.transport |
 | Action | event.outcome |
 | Bytes | network.bytes |
-| Bytes Sent | client.bytes destination.bytes |
-| Bytes Received | server.bytes source.bytes |
+| Bytes Sent | client.bytes source.bytes |
+| Bytes Received | server.bytes destination.bytes |
 | Packets | network.packets |
 | Start Time | event.start |
 | Elapsed Time | event.duration |
diff --git a/x-pack/filebeat/module/panw/_meta/docs.asciidoc b/x-pack/filebeat/module/panw/_meta/docs.asciidoc
index 6832ecdd5e9c..fa31ad65672e 100644
--- a/x-pack/filebeat/module/panw/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/panw/_meta/docs.asciidoc
@@ -103,8 +103,8 @@ in ECS that are added under the `panw.panos` prefix:
 | Protocol | network.transport |
 | Action | event.outcome |
 | Bytes | network.bytes |
-| Bytes Sent | client.bytes destination.bytes |
-| Bytes Received | server.bytes source.bytes |
+| Bytes Sent | client.bytes source.bytes |
+| Bytes Received | server.bytes destination.bytes |
 | Packets | network.packets |
 | Start Time | event.start |
 | Elapsed Time | event.duration |