Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New field event.provider #321

Closed
vbohata opened this issue Feb 12, 2019 · 2 comments · Fixed by #439
Closed

New field event.provider #321

vbohata opened this issue Feb 12, 2019 · 2 comments · Fixed by #439

Comments

@vbohata
Copy link

vbohata commented Feb 12, 2019

I have multiple log types with field named like "source" which is some component/provider of the log. If possible I use non-ECS event.logger field but in fact it is not usable here (logger can be some part of application like class/module itself). I noticed in https://github.com/elastic/beats/pull/10333/files it is named winlog.provider_name but it should be more general and part of ECS because Windows Event log is not the only log type which uses it. So I propose to add "event.provider" field.
@webmat
Copy link
Contributor

webmat commented Feb 14, 2019

Yes, winlog.provider_name is just reusing the Windows Event Log terminology as is, it's not an ECS field yet. What you're suggesting is interesting.

I think it would also map well to Syslog's "programname" field. In the Beats 7.0 migration to ECS, we mapped it to process.name, which is kid of accurate, but not always (e.g. kernel messages).

We'll take this into consideration in the next batch of updates we do to ECS.

@webmat webmat mentioned this issue Apr 23, 2019
Merged
@webmat
Copy link
Contributor

webmat commented Apr 24, 2019

@vbohata #439 👀

event.provider as you suggested :-)

webmat pushed a commit that referenced this issue May 1, 2019
Additions to event (#439)
580752c 
- Added `event.code` (See elastic/beats#10333)
- Added `event.sequence` (See #129, elastic/beats#10760)
- Added `event.provider` (See #321)
  - Note: Beats modules currently put the Syslog "programname" in `process.name` which is sometimes accurate, sometimes not (e.g. "kernel"). event.provider would be a better field for this.
- Explain event.module and event.dataset without mentioning Beats
@vbohata vbohata mentioned this issue Jul 30, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Additions to event webmat/ecs
2 participants
@webmat @vbohata