Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.4](backport #32927) Swap source.bytes and destination.bytes traffic log mappings #33060

Merged
merged 1 commit into from
Sep 13, 2022

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Sep 12, 2022

This is an automatic backport of pull request #32927 done by Mergify.


Mergify commands and options

More conditions and actions can be found in the documentation.

You can also trigger Mergify actions by commenting on this pull request:

  • @Mergifyio refresh will re-evaluate the rules
  • @Mergifyio rebase will rebase this PR on its base branch
  • @Mergifyio update will merge the base branch into this PR
  • @Mergifyio backport <destination> will backport this PR on <destination> branch

Additionally, on Mergify dashboard you can:

  • look at your merge queues
  • generate the Mergify configuration with the config editor.

Finally, you can contact us on https://mergify.com

)

* Swap `source.bytes` and `destination.bytes` traffic log mappings

This documentation currently mapps `Bytes Received` to `server.bytes` and `source.bytes` as well as `Bytes Sent` to `client.bytes` and `destination.bytes`.

This mapping is incorrect as per the [Palot Alto Docs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields), `bytes_sent` is defined as `Number of bytes in the client-to-server direction of the session.` and matches the ECS definitions for `client.bytes` and `source.bytes` being bytes from `client/source => server/destination`.

Likewise, `bytes_received` is defined as `Number of bytes in the server-to-client direction of the session.` and matches the `destination.bytes` and `server.bytes` definitions in ECS being the bytes sent from `server/destination => client/source`.

Furthermore, the [panw filebeat module mapping](https://github.com/elastic/beats/blob/v8.4.0/x-pack/filebeat/module/panw/panos/config/input.yml#L95) and [integration pipeline](https://github.com/elastic/integrations/blob/main/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml#L212) both follow the above conventions.

This proposed change will map `Bytes Received` to `destination.bytes` and `Bytes Sent` to `client.bytes`.

* Swap `source.bytes` and `destination.bytes` traffic log mappings

Swapping the values of `source.bytes` and `destination.bytes` in order to align the documentation with the changes implemented in #18525

* Run make update

Co-authored-by: dedemorton <dede.morton@elastic.co>
(cherry picked from commit 0930b9b)
@mergify mergify bot requested a review from a team as a code owner September 12, 2022 21:59
@mergify mergify bot added the backport label Sep 12, 2022
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Sep 12, 2022
@botelastic
Copy link

botelastic bot commented Sep 12, 2022

This pull request doesn't have a Team:<team> label.

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-09-12T21:59:34.000+0000

  • Duration: 9 min 36 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@dedemorton dedemorton merged commit b00a6bc into 8.4 Sep 13, 2022
@dedemorton dedemorton deleted the mergify/bp/8.4/pr-32927 branch September 13, 2022 19:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport needs_team Indicates that the issue/PR needs a Team:* label
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants