Skip to content

Commit

Permalink
Add fields used by Suricata module
Browse files Browse the repository at this point in the history 
Add fields used by Suricata module to fields.yml. Some of these are in ECS.

event.type
destination.ip
destination.port
user_agent.original
user_agent.device
user_agent.version
user_agent.major
user_agent.minor
user_agent.patch
user_agent.name
user_agent.os.name
user_agent.os.full_name (non-ECS)
user_agent.os.version
user_agent.os.major
user_agent.os.minor
file.path
file.size
  • Loading branch information
@andrewkroh
andrewkroh committed Oct 24, 2018
1 parent c09f3c7 commit ce9e3b9
Show file tree
Hide file tree
Showing 3 changed files with 288 additions and 6 deletions.
115 changes: 110 additions & 5 deletions filebeat/_meta/fields.common.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,11 @@
@timestamp is the processed timestamp from the log line. If both are identical
only @timestamp should be used.
- name: event.type
type: keyword
description: >
A type given to this kind of event which can be used for grouping.
- name: http.response.status_code
type: long
description: >
Expand Down Expand Up @@ -149,6 +154,8 @@
description: >
IP address of the source.
Can be one or multiple IPv4 or IPv6 addresses.
- name: port
type: long
description: >
Expand Down Expand Up @@ -192,6 +199,18 @@
- name: destination
type: group
fields:
- name: ip
type: ip
description: >
IP address of the destination.
Can be one or multiple IPv4 or IPv6 addresses.
- name: port
type: long
description: >
Port of the destination.
- name: geo
type: group
description:
Expand Down Expand Up @@ -228,16 +247,86 @@
Region ISO code.
- name: user_agent
title: User agent
description: >
The user_agent fields normally come from a browser request. They often
show up in web service logs coming from the parsed user agent string.
type: group
fields:
- name: os
type: group
fields:
- name: full_name
- name: original
level: extended
type: keyword
description: >
Unparsed version of the user_agent.
- name: device
level: extended
type: keyword
description: >
Name of the physical device.
- name: version
level: extended
type: keyword
description: >
Version of the physical device.
- name: major
level: extended
type: long
description: >
Major version of the user agent.
- name: minor
level: extended
type: long
description: >
Minor version of the user agent.
- name: patch
level: extended
type: keyword
description: >
Patch version of the user agent.
- name: name
level: extended
type: keyword
example: Chrome
description: >
Name of the user agent.
- name: os.name
level: extended
type: keyword
description: >
Name of the operating system.
- name: os.full_name
level: extended
type: keyword
description: >
Full name of the operating system (includes version).
- name: os.version
level: extended
type: keyword
description: >
Version of the operating system.
- name: os.major
level: extended
type: long
description: >
Major version of the operating system.
- name: os.minor
level: extended
type: long
description: >
Minor version of the operating system.
- name: url
title: URL
description: >
URL fields provide a complete URL, with scheme, host, and path. The URL
object can be reused in other prefixes, such as `host.url.*` for
Expand All @@ -251,3 +340,19 @@
Hostname of the request, such as "elastic.co".
In some cases a URL may refer to an IP and/or port directly, without a
domain name. In this case, the IP address would go to the `hostname` field.
- name: file
description: >
File fields provide details about each file.
type: group
fields:
- name: path
level: extended
type: keyword
description: Path to the file.

- name: size
type: long
description: File size in bytes (field is only added when `type` is
`file`).
177 changes: 177 additions & 0 deletions filebeat/docs/fields.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3128,6 +3128,16 @@ type: date
event.created contains the date on which the event was created. In case of log events this is when the log line was read by Filebeat. In comparison @timestamp is the processed timestamp from the log line. If both are identical only @timestamp should be used.
--
*`event.type`*::
+
--
type: keyword
A type given to this kind of event which can be used for grouping.
--
*`http.response.status_code`*::
Expand Down Expand Up @@ -3179,6 +3189,7 @@ Request method.
type: ip
IP address of the source.
Can be one or multiple IPv4 or IPv6 addresses.
--
Expand Down Expand Up @@ -3260,6 +3271,27 @@ Region ISO code.
--
*`destination.ip`*::
+
--
type: ip
IP address of the destination.
Can be one or multiple IPv4 or IPv6 addresses.
--
*`destination.port`*::
+
--
type: long
Port of the destination.
--
[float]
== geo fields
Expand Down Expand Up @@ -3326,13 +3358,133 @@ Region ISO code.
--
[float]
== user_agent fields
The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.
*`user_agent.original`*::
+
--
type: keyword
Unparsed version of the user_agent.
--
*`user_agent.device`*::
+
--
type: keyword
Name of the physical device.
--
*`user_agent.version`*::
+
--
type: keyword
Version of the physical device.
--
*`user_agent.major`*::
+
--
type: long
Major version of the user agent.
--
*`user_agent.minor`*::
+
--
type: long
Minor version of the user agent.
--
*`user_agent.patch`*::
+
--
type: keyword
Patch version of the user agent.
--
*`user_agent.name`*::
+
--
type: keyword
example: Chrome
Name of the user agent.
--
*`user_agent.os.name`*::
+
--
type: keyword
Name of the operating system.
--
*`user_agent.os.full_name`*::
+
--
type: keyword
Full name of the operating system (includes version).
--
*`user_agent.os.version`*::
+
--
type: keyword
Version of the operating system.
--
*`user_agent.os.major`*::
+
--
type: long
Major version of the operating system.
--
*`user_agent.os.minor`*::
+
--
type: long
Minor version of the operating system.
--
[float]
Expand All @@ -3350,6 +3502,31 @@ type: keyword
Hostname of the request, such as "elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `hostname` field.
--
[float]
== file fields
File fields provide details about each file.
*`file.path`*::
+
--
type: keyword
Path to the file.
--
*`file.size`*::
+
--
type: long
File size in bytes (field is only added when `type` is `file`).
--
[[exported-fields-logstash]]
Expand Down
Loading

0 comments on commit ce9e3b9

Please sign in to comment.