From 3588a88ab704b181e8b15427b0953a7bb72c3467 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 23 Apr 2019 15:35:09 -0400 Subject: [PATCH 1/7] Add event.code --- code/go/ecs/event.go | 6 ++++ docs/field-details.asciidoc | 13 +++++++ generated/beats/fields.ecs.yml | 10 ++++++ generated/csv/fields.csv | 1 + generated/ecs/ecs_flat.yml | 48 ++++++++++++++++--------- generated/ecs/ecs_nested.yml | 48 ++++++++++++++++--------- generated/elasticsearch/6/template.json | 4 +++ generated/elasticsearch/7/template.json | 4 +++ generated/legacy/template.json | 4 +++ schemas/event.yml | 12 +++++++ 10 files changed, 116 insertions(+), 34 deletions(-) diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go index 56fcebe056..9464a81685 100644 --- a/code/go/ecs/event.go +++ b/code/go/ecs/event.go @@ -37,6 +37,12 @@ type Event struct { // Unique ID to describe the event. ID string `ecs:"id"` + // Identification code for this event, if one exists. + // Some event sources use event codes to identify messages unambiguously, + // regardless of message language or wording adjustments over time. An + // example of this is the Windows Event ID. + Code string `ecs:"code"` + // The kind of the event. // This gives information about what type of information the event // contains, without being specific to the contents of the event. Examples diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index a65f982c92..dd7ab0e2c6 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -706,6 +706,19 @@ example: `user-management` // =============================================================== +| event.code +| Identification code for this event, if one exists. + +Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + +type: keyword + +example: `4648` + +| extended + +// =============================================================== + | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index d27d7f5ea3..5fdf363b09 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -583,6 +583,16 @@ multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.' example: user-management + - name: code + level: extended + type: keyword + ignore_above: 1024 + description: 'Identification code for this event, if one exists. + + Some event sources use event codes to identify messages unambiguously, regardless + of message language or wording adjustments over time. An example of this is + the Windows Event ID.' + example: 4648 - name: created level: core type: date diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index c955eced51..04984d5722 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -71,6 +71,7 @@ error.id,keyword,core,,1.1.0-dev error.message,text,core,,1.1.0-dev event.action,keyword,core,user-password-change,1.1.0-dev event.category,keyword,core,user-management,1.1.0-dev +event.code,keyword,extended,4648,1.1.0-dev event.created,date,core,,1.1.0-dev event.dataset,keyword,core,stats,1.1.0-dev event.duration,long,core,,1.1.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 28f575c964..24c0373993 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -738,7 +738,7 @@ event.action: ignore_above: 1024 level: core name: action - order: 3 + order: 4 short: The action captured by the event. type: keyword event.category: @@ -753,9 +753,23 @@ event.category: ignore_above: 1024 level: core name: category - order: 2 + order: 3 short: Event category. type: keyword +event.code: + description: 'Identification code for this event, if one exists. + + Some event sources use event codes to identify messages unambiguously, regardless + of message language or wording adjustments over time. An example of this is the + Windows Event ID.' + example: 4648 + flat_name: event.code + ignore_above: 1024 + level: extended + name: code + order: 1 + short: Identification code for this event. + type: keyword event.created: description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. @@ -772,7 +786,7 @@ event.created: flat_name: event.created level: core name: created - order: 13 + order: 14 short: Time when the event was first read by an agent or by your pipeline. type: date event.dataset: @@ -786,7 +800,7 @@ event.dataset: ignore_above: 1024 level: core name: dataset - order: 7 + order: 8 short: Name of the dataset. type: keyword event.duration: @@ -799,7 +813,7 @@ event.duration: input_format: nanoseconds level: core name: duration - order: 11 + order: 12 output_format: asMilliseconds output_precision: 1 short: Duration of the event in nanoseconds. @@ -810,7 +824,7 @@ event.end: flat_name: event.end level: extended name: end - order: 15 + order: 16 short: event.end contains the date when the event ended or when the activity was last observed. type: date @@ -822,7 +836,7 @@ event.hash: ignore_above: 1024 level: extended name: hash - order: 10 + order: 11 short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. type: keyword @@ -848,7 +862,7 @@ event.kind: ignore_above: 1024 level: extended name: kind - order: 1 + order: 2 short: The kind of the event. type: keyword event.module: @@ -860,7 +874,7 @@ event.module: ignore_above: 1024 level: core name: module - order: 6 + order: 7 short: Name of the module this data is coming from. type: keyword event.original: @@ -876,7 +890,7 @@ event.original: index: false level: core name: original - order: 9 + order: 10 short: Raw text message of entire event. type: keyword event.outcome: @@ -891,7 +905,7 @@ event.outcome: ignore_above: 1024 level: extended name: outcome - order: 4 + order: 5 short: The outcome of the event. type: keyword event.risk_score: @@ -900,7 +914,7 @@ event.risk_score: flat_name: event.risk_score level: core name: risk_score - order: 16 + order: 17 short: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -913,7 +927,7 @@ event.risk_score_norm: flat_name: event.risk_score_norm level: extended name: risk_score_norm - order: 17 + order: 18 short: Normalized risk score or priority of the event (0-100). type: float event.severity: @@ -924,7 +938,7 @@ event.severity: flat_name: event.severity level: core name: severity - order: 8 + order: 9 short: Original severity of the event. type: long event.start: @@ -933,7 +947,7 @@ event.start: flat_name: event.start level: extended name: start - order: 14 + order: 15 short: event.start contains the date when the event started or when the activity was first observed. type: date @@ -948,7 +962,7 @@ event.timezone: ignore_above: 1024 level: extended name: timezone - order: 12 + order: 13 short: Event time zone. type: keyword event.type: @@ -959,7 +973,7 @@ event.type: ignore_above: 1024 level: core name: type - order: 5 + order: 6 short: Reserved for future usage. type: keyword file.ctime: diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 8019764df6..131b070b41 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -912,7 +912,7 @@ event: ignore_above: 1024 level: core name: action - order: 3 + order: 4 short: The action captured by the event. type: keyword category: @@ -927,9 +927,23 @@ event: ignore_above: 1024 level: core name: category - order: 2 + order: 3 short: Event category. type: keyword + code: + description: 'Identification code for this event, if one exists. + + Some event sources use event codes to identify messages unambiguously, regardless + of message language or wording adjustments over time. An example of this is + the Windows Event ID.' + example: 4648 + flat_name: event.code + ignore_above: 1024 + level: extended + name: code + order: 1 + short: Identification code for this event. + type: keyword created: description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. @@ -946,7 +960,7 @@ event: flat_name: event.created level: core name: created - order: 13 + order: 14 short: Time when the event was first read by an agent or by your pipeline. type: date dataset: @@ -960,7 +974,7 @@ event: ignore_above: 1024 level: core name: dataset - order: 7 + order: 8 short: Name of the dataset. type: keyword duration: @@ -973,7 +987,7 @@ event: input_format: nanoseconds level: core name: duration - order: 11 + order: 12 output_format: asMilliseconds output_precision: 1 short: Duration of the event in nanoseconds. @@ -984,7 +998,7 @@ event: flat_name: event.end level: extended name: end - order: 15 + order: 16 short: event.end contains the date when the event ended or when the activity was last observed. type: date @@ -996,7 +1010,7 @@ event: ignore_above: 1024 level: extended name: hash - order: 10 + order: 11 short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. type: keyword @@ -1022,7 +1036,7 @@ event: ignore_above: 1024 level: extended name: kind - order: 1 + order: 2 short: The kind of the event. type: keyword module: @@ -1034,7 +1048,7 @@ event: ignore_above: 1024 level: core name: module - order: 6 + order: 7 short: Name of the module this data is coming from. type: keyword original: @@ -1050,7 +1064,7 @@ event: index: false level: core name: original - order: 9 + order: 10 short: Raw text message of entire event. type: keyword outcome: @@ -1065,7 +1079,7 @@ event: ignore_above: 1024 level: extended name: outcome - order: 4 + order: 5 short: The outcome of the event. type: keyword risk_score: @@ -1074,7 +1088,7 @@ event: flat_name: event.risk_score level: core name: risk_score - order: 16 + order: 17 short: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -1087,7 +1101,7 @@ event: flat_name: event.risk_score_norm level: extended name: risk_score_norm - order: 17 + order: 18 short: Normalized risk score or priority of the event (0-100). type: float severity: @@ -1098,7 +1112,7 @@ event: flat_name: event.severity level: core name: severity - order: 8 + order: 9 short: Original severity of the event. type: long start: @@ -1107,7 +1121,7 @@ event: flat_name: event.start level: extended name: start - order: 14 + order: 15 short: event.start contains the date when the event started or when the activity was first observed. type: date @@ -1122,7 +1136,7 @@ event: ignore_above: 1024 level: extended name: timezone - order: 12 + order: 13 short: Event time zone. type: keyword type: @@ -1133,7 +1147,7 @@ event: ignore_above: 1024 level: core name: type - order: 5 + order: 6 short: Reserved for future usage. type: keyword group: 2 diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index bcd9d3a3c0..316f4b1b38 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -354,6 +354,10 @@ "ignore_above": 1024, "type": "keyword" }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, "created": { "type": "date" }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index b7dbf70306..6444324390 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -353,6 +353,10 @@ "ignore_above": 1024, "type": "keyword" }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, "created": { "type": "date" }, diff --git a/generated/legacy/template.json b/generated/legacy/template.json index aee36994c3..54059655b9 100644 --- a/generated/legacy/template.json +++ b/generated/legacy/template.json @@ -212,6 +212,10 @@ "ignore_above": 1024, "type": "keyword" }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, "created": { "type": "date" }, diff --git a/schemas/event.yml b/schemas/event.yml index 4918a98bc5..08eb93331b 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -25,6 +25,18 @@ Unique ID to describe the event. example: 8a4f500d + - name: code + level: extended + type: keyword + short: Identification code for this event. + description: > + Identification code for this event, if one exists. + + Some event sources use event codes to identify messages unambiguously, + regardless of message language or wording adjustments over time. + An example of this is the Windows Event ID. + example: 4648 + - name: kind level: extended type: keyword From f27943cca65f98595ede230791e4cc43ab95de6c Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 23 Apr 2019 15:35:48 -0400 Subject: [PATCH 2/7] Add event.provider --- code/go/ecs/event.go | 8 ++++++ docs/field-details.asciidoc | 13 +++++++++ generated/beats/fields.ecs.yml | 11 ++++++++ generated/csv/fields.csv | 1 + generated/ecs/ecs_flat.yml | 35 ++++++++++++++++++------- generated/ecs/ecs_nested.yml | 35 ++++++++++++++++++------- generated/elasticsearch/6/template.json | 4 +++ generated/elasticsearch/7/template.json | 4 +++ generated/legacy/template.json | 4 +++ schemas/event.yml | 14 ++++++++++ 10 files changed, 109 insertions(+), 20 deletions(-) diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go index 9464a81685..4bf7b1876f 100644 --- a/code/go/ecs/event.go +++ b/code/go/ecs/event.go @@ -86,6 +86,14 @@ type Event struct { // in metricset.name and metricset.module or fileset.name. Dataset string `ecs:"dataset"` + // Source of the event. + // Event transports such as Syslog or the Windows Event Log typically have + // a single field about the source of an event. It can be the name of the + // software that generated the event (e.g. Sysmon, httpd), or of a + // subsystem of the operating system (kernel, + // Microsoft-Windows-Security-Auditing). + Provider string `ecs:"provider"` + // Severity describes the original severity of the event. What the // different severity values mean can very different between use cases. // It's up to the implementer to make sure severities are consistent across diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index dd7ab0e2c6..0d855d145f 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -847,6 +847,19 @@ example: `success` // =============================================================== +| event.provider +| Source of the event. + +Event transports such as Syslog or the Windows Event Log typically have a single field about the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + +type: keyword + +example: `kernel` + +| extended + +// =============================================================== + | event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 5fdf363b09..9dba6acb25 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -687,6 +687,17 @@ versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.' example: success + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: 'Source of the event. + + Event transports such as Syslog or the Windows Event Log typically have a + single field about the source of an event. It can be the name of the software + that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating + system (kernel, Microsoft-Windows-Security-Auditing).' + example: kernel - name: risk_score level: core type: float diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 04984d5722..2dd840df55 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -82,6 +82,7 @@ event.kind,keyword,extended,state,1.1.0-dev event.module,keyword,core,mysql,1.1.0-dev event.original,keyword,core,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,1.1.0-dev event.outcome,keyword,extended,success,1.1.0-dev +event.provider,keyword,extended,kernel,1.1.0-dev event.risk_score,float,core,,1.1.0-dev event.risk_score_norm,float,extended,,1.1.0-dev event.severity,long,core,7,1.1.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 24c0373993..55c9d9ad02 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -786,7 +786,7 @@ event.created: flat_name: event.created level: core name: created - order: 14 + order: 15 short: Time when the event was first read by an agent or by your pipeline. type: date event.dataset: @@ -813,7 +813,7 @@ event.duration: input_format: nanoseconds level: core name: duration - order: 12 + order: 13 output_format: asMilliseconds output_precision: 1 short: Duration of the event in nanoseconds. @@ -824,7 +824,7 @@ event.end: flat_name: event.end level: extended name: end - order: 16 + order: 17 short: event.end contains the date when the event ended or when the activity was last observed. type: date @@ -836,7 +836,7 @@ event.hash: ignore_above: 1024 level: extended name: hash - order: 11 + order: 12 short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. type: keyword @@ -890,7 +890,7 @@ event.original: index: false level: core name: original - order: 10 + order: 11 short: Raw text message of entire event. type: keyword event.outcome: @@ -908,13 +908,28 @@ event.outcome: order: 5 short: The outcome of the event. type: keyword +event.provider: + description: 'Source of the event. + + Event transports such as Syslog or the Windows Event Log typically have a single + field about the source of an event. It can be the name of the software that generated + the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, + Microsoft-Windows-Security-Auditing).' + example: kernel + flat_name: event.provider + ignore_above: 1024 + level: extended + name: provider + order: 9 + short: Source of the event. + type: keyword event.risk_score: description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. flat_name: event.risk_score level: core name: risk_score - order: 17 + order: 18 short: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -927,7 +942,7 @@ event.risk_score_norm: flat_name: event.risk_score_norm level: extended name: risk_score_norm - order: 18 + order: 19 short: Normalized risk score or priority of the event (0-100). type: float event.severity: @@ -938,7 +953,7 @@ event.severity: flat_name: event.severity level: core name: severity - order: 9 + order: 10 short: Original severity of the event. type: long event.start: @@ -947,7 +962,7 @@ event.start: flat_name: event.start level: extended name: start - order: 15 + order: 16 short: event.start contains the date when the event started or when the activity was first observed. type: date @@ -962,7 +977,7 @@ event.timezone: ignore_above: 1024 level: extended name: timezone - order: 13 + order: 14 short: Event time zone. type: keyword event.type: diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 131b070b41..9124765bd7 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -960,7 +960,7 @@ event: flat_name: event.created level: core name: created - order: 14 + order: 15 short: Time when the event was first read by an agent or by your pipeline. type: date dataset: @@ -987,7 +987,7 @@ event: input_format: nanoseconds level: core name: duration - order: 12 + order: 13 output_format: asMilliseconds output_precision: 1 short: Duration of the event in nanoseconds. @@ -998,7 +998,7 @@ event: flat_name: event.end level: extended name: end - order: 16 + order: 17 short: event.end contains the date when the event ended or when the activity was last observed. type: date @@ -1010,7 +1010,7 @@ event: ignore_above: 1024 level: extended name: hash - order: 11 + order: 12 short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. type: keyword @@ -1064,7 +1064,7 @@ event: index: false level: core name: original - order: 10 + order: 11 short: Raw text message of entire event. type: keyword outcome: @@ -1082,13 +1082,28 @@ event: order: 5 short: The outcome of the event. type: keyword + provider: + description: 'Source of the event. + + Event transports such as Syslog or the Windows Event Log typically have a + single field about the source of an event. It can be the name of the software + that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating + system (kernel, Microsoft-Windows-Security-Auditing).' + example: kernel + flat_name: event.provider + ignore_above: 1024 + level: extended + name: provider + order: 9 + short: Source of the event. + type: keyword risk_score: description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. flat_name: event.risk_score level: core name: risk_score - order: 17 + order: 18 short: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -1101,7 +1116,7 @@ event: flat_name: event.risk_score_norm level: extended name: risk_score_norm - order: 18 + order: 19 short: Normalized risk score or priority of the event (0-100). type: float severity: @@ -1112,7 +1127,7 @@ event: flat_name: event.severity level: core name: severity - order: 9 + order: 10 short: Original severity of the event. type: long start: @@ -1121,7 +1136,7 @@ event: flat_name: event.start level: extended name: start - order: 15 + order: 16 short: event.start contains the date when the event started or when the activity was first observed. type: date @@ -1136,7 +1151,7 @@ event: ignore_above: 1024 level: extended name: timezone - order: 13 + order: 14 short: Event time zone. type: keyword type: diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 316f4b1b38..e9edb4d693 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -397,6 +397,10 @@ "ignore_above": 1024, "type": "keyword" }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, "risk_score": { "type": "float" }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 6444324390..9146fb5af5 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -396,6 +396,10 @@ "ignore_above": 1024, "type": "keyword" }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, "risk_score": { "type": "float" }, diff --git a/generated/legacy/template.json b/generated/legacy/template.json index 54059655b9..9f78fb515b 100644 --- a/generated/legacy/template.json +++ b/generated/legacy/template.json @@ -255,6 +255,10 @@ "ignore_above": 1024, "type": "keyword" }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, "risk_score": { "type": "float" }, diff --git a/schemas/event.yml b/schemas/event.yml index 08eb93331b..98e7664475 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -123,6 +123,20 @@ stored in metricset.name and metricset.module or fileset.name. example: stats + - name: provider + level: extended + type: keyword + short: Source of the event. + description: > + Source of the event. + + Event transports such as Syslog or the Windows Event Log typically have + a single field about the source of an event. It can be the name of the + software that generated the event (e.g. Sysmon, httpd), + or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + + example: kernel + - name: severity level: core type: long From acad535ef51b590f1ff3d59e4f49228eadf785e7 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 23 Apr 2019 16:05:40 -0400 Subject: [PATCH 3/7] Improve event.module and event.dataset definitions. This removes references of how things used to be in Beats 6 and before, and explains what .module and .dataset mean, and how to use them. --- code/go/ecs/event.go | 12 ++++++++---- docs/field-details.asciidoc | 10 ++++++---- generated/beats/fields.ecs.yml | 16 ++++++++++------ generated/csv/fields.csv | 4 ++-- generated/ecs/ecs_flat.yml | 16 ++++++++++------ generated/ecs/ecs_nested.yml | 16 ++++++++++------ schemas/event.yml | 17 +++++++++++------ use-cases/auditbeat.md | 2 +- 8 files changed, 58 insertions(+), 35 deletions(-) diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go index 4bf7b1876f..654112796b 100644 --- a/code/go/ecs/event.go +++ b/code/go/ecs/event.go @@ -77,13 +77,17 @@ type Event struct { Type string `ecs:"type"` // Name of the module this data is coming from. - // This information is coming from the modules used in Beats or Logstash. + // If your monitoring agent supports the concept of modules or plugins to + // parse events of a given source (e.g. Apache logs), `event.module` should + // contain the name of this module. Module string `ecs:"module"` // Name of the dataset. - // The concept of a `dataset` (fileset / metricset) is used in Beats as a - // subset of modules. It contains the information which is currently stored - // in metricset.name and metricset.module or fileset.name. + // If an event source publishes more than one type of log or events (e.g. + // access log, error log), the dataset is used to specify which dataset + // this comes from. + // It's recommended but not required to start the dataset name with the + // module name, followed by a dot, then the dataset name. Dataset string `ecs:"dataset"` // Source of the event. diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 0d855d145f..bed436bf65 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -739,11 +739,13 @@ type: date | event.dataset | Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which dataset this comes from. + +It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword -example: `stats` +example: `apache.access` | core @@ -811,11 +813,11 @@ example: `state` | event.module | Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. +If your monitoring agent supports the concept of modules or plugins to parse events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. type: keyword -example: `mysql` +example: `apache` | core diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 9dba6acb25..e0ece5f1c9 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -614,10 +614,12 @@ ignore_above: 1024 description: 'Name of the dataset. - The concept of a `dataset` (fileset / metricset) is used in Beats as a subset - of modules. It contains the information which is currently stored in metricset.name - and metricset.module or fileset.name.' - example: stats + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which dataset this comes from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access - name: duration level: core type: long @@ -664,8 +666,10 @@ ignore_above: 1024 description: 'Name of the module this data is coming from. - This information is coming from the modules used in Beats or Logstash.' - example: mysql + If your monitoring agent supports the concept of modules or plugins to parse + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache - name: original level: core type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 2dd840df55..c74c335f28 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -73,13 +73,13 @@ event.action,keyword,core,user-password-change,1.1.0-dev event.category,keyword,core,user-management,1.1.0-dev event.code,keyword,extended,4648,1.1.0-dev event.created,date,core,,1.1.0-dev -event.dataset,keyword,core,stats,1.1.0-dev +event.dataset,keyword,core,apache.access,1.1.0-dev event.duration,long,core,,1.1.0-dev event.end,date,extended,,1.1.0-dev event.hash,keyword,extended,123456789012345678901234567890ABCD,1.1.0-dev event.id,keyword,core,8a4f500d,1.1.0-dev event.kind,keyword,extended,state,1.1.0-dev -event.module,keyword,core,mysql,1.1.0-dev +event.module,keyword,core,apache,1.1.0-dev event.original,keyword,core,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,1.1.0-dev event.outcome,keyword,extended,success,1.1.0-dev event.provider,keyword,extended,kernel,1.1.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 55c9d9ad02..277d060794 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -792,10 +792,12 @@ event.created: event.dataset: description: 'Name of the dataset. - The concept of a `dataset` (fileset / metricset) is used in Beats as a subset - of modules. It contains the information which is currently stored in metricset.name - and metricset.module or fileset.name.' - example: stats + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which dataset this comes from. + + It''s recommended but not required to start the dataset name with the module name, + followed by a dot, then the dataset name.' + example: apache.access flat_name: event.dataset ignore_above: 1024 level: core @@ -868,8 +870,10 @@ event.kind: event.module: description: 'Name of the module this data is coming from. - This information is coming from the modules used in Beats or Logstash.' - example: mysql + If your monitoring agent supports the concept of modules or plugins to parse events + of a given source (e.g. Apache logs), `event.module` should contain the name of + this module.' + example: apache flat_name: event.module ignore_above: 1024 level: core diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 9124765bd7..2fce418d1d 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -966,10 +966,12 @@ event: dataset: description: 'Name of the dataset. - The concept of a `dataset` (fileset / metricset) is used in Beats as a subset - of modules. It contains the information which is currently stored in metricset.name - and metricset.module or fileset.name.' - example: stats + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which dataset this comes from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access flat_name: event.dataset ignore_above: 1024 level: core @@ -1042,8 +1044,10 @@ event: module: description: 'Name of the module this data is coming from. - This information is coming from the modules used in Beats or Logstash.' - example: mysql + If your monitoring agent supports the concept of modules or plugins to parse + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache flat_name: event.module ignore_above: 1024 level: core diff --git a/schemas/event.yml b/schemas/event.yml index 98e7664475..fb074cc286 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -108,8 +108,10 @@ description: > Name of the module this data is coming from. - This information is coming from the modules used in Beats or Logstash. - example: mysql + If your monitoring agent supports the concept of modules or plugins to parse events + of a given source (e.g. Apache logs), `event.module` should contain the name + of this module. + example: apache - name: dataset level: core @@ -118,10 +120,13 @@ description: > Name of the dataset. - The concept of a `dataset` (fileset / metricset) is used in Beats as a - subset of modules. It contains the information which is currently - stored in metricset.name and metricset.module or fileset.name. - example: stats + If an event source publishes more than one type of log or events + (e.g. access log, error log), the dataset is used to specify which + dataset this comes from. + + It's recommended but not required to start the dataset name with + the module name, followed by a dot, then the dataset name. + example: apache.access - name: provider level: extended diff --git a/use-cases/auditbeat.md b/use-cases/auditbeat.md index 515c6245de..1ab9c2f7bf 100644 --- a/use-cases/auditbeat.md +++ b/use-cases/auditbeat.md @@ -7,7 +7,7 @@ ECS usage in Auditbeat. | Field | Description | Level | Type | Example | |---|---|---|---|---| -| [event.module](../README.md#event.module) | Auditbeat module name. | core | keyword | `mysql` | +| [event.module](../README.md#event.module) | Auditbeat module name. | core | keyword | `apache` | | *file.** | *File attributes.
* | | | | | [file.path](../README.md#file.path) | The path to the file. | extended | keyword | | | [file.target_path](../README.md#file.target_path) | The target path for symlinks. | extended | keyword | | From d4d101a097230e0c5b08acc6058301bafcb83463 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 23 Apr 2019 16:06:20 -0400 Subject: [PATCH 4/7] Add event.sequence --- code/go/ecs/event.go | 6 ++++++ docs/field-details.asciidoc | 13 +++++++++++++ generated/beats/fields.ecs.yml | 7 +++++++ generated/csv/fields.csv | 1 + generated/ecs/ecs_flat.yml | 23 +++++++++++++++++------ generated/ecs/ecs_nested.yml | 23 +++++++++++++++++------ generated/elasticsearch/6/template.json | 3 +++ generated/elasticsearch/7/template.json | 3 +++ generated/legacy/template.json | 3 +++ schemas/event.yml | 10 ++++++++++ 10 files changed, 80 insertions(+), 12 deletions(-) diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go index 654112796b..2e5538e6d0 100644 --- a/code/go/ecs/event.go +++ b/code/go/ecs/event.go @@ -118,6 +118,12 @@ type Event struct { // difference between the end and start time. Duration time.Duration `ecs:"duration"` + // Sequence number of the event. + // The sequence number is a value published by some event sources, to make + // the exact ordering of events unambiguous, regarless of the timestamp + // precision. + Sequence int64 `ecs:"sequence"` + // This field should be populated when the event's timestamp does not // include timezone information already (e.g. default Syslog timestamps). // It's optional otherwise. diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index bed436bf65..7bc059dfe1 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -882,6 +882,19 @@ type: float +| extended + +// =============================================================== + +| event.sequence +| Sequence number of the event. + +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. + +type: long + + + | extended // =============================================================== diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index e0ece5f1c9..5fde0d0753 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -715,6 +715,13 @@ This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.' + - name: sequence + level: extended + type: long + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regarless of the timestamp precision.' - name: severity level: core type: long diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index c74c335f28..37dc4d8ed8 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -85,6 +85,7 @@ event.outcome,keyword,extended,success,1.1.0-dev event.provider,keyword,extended,kernel,1.1.0-dev event.risk_score,float,core,,1.1.0-dev event.risk_score_norm,float,extended,,1.1.0-dev +event.sequence,long,extended,,1.1.0-dev event.severity,long,core,7,1.1.0-dev event.start,date,extended,,1.1.0-dev event.timezone,keyword,extended,,1.1.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 277d060794..e049c47bce 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -786,7 +786,7 @@ event.created: flat_name: event.created level: core name: created - order: 15 + order: 16 short: Time when the event was first read by an agent or by your pipeline. type: date event.dataset: @@ -826,7 +826,7 @@ event.end: flat_name: event.end level: extended name: end - order: 17 + order: 18 short: event.end contains the date when the event ended or when the activity was last observed. type: date @@ -933,7 +933,7 @@ event.risk_score: flat_name: event.risk_score level: core name: risk_score - order: 18 + order: 19 short: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -946,9 +946,20 @@ event.risk_score_norm: flat_name: event.risk_score_norm level: extended name: risk_score_norm - order: 19 + order: 20 short: Normalized risk score or priority of the event (0-100). type: float +event.sequence: + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the exact + ordering of events unambiguous, regarless of the timestamp precision.' + flat_name: event.sequence + level: extended + name: sequence + order: 14 + short: Sequence number of the event. + type: long event.severity: description: Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer @@ -966,7 +977,7 @@ event.start: flat_name: event.start level: extended name: start - order: 16 + order: 17 short: event.start contains the date when the event started or when the activity was first observed. type: date @@ -981,7 +992,7 @@ event.timezone: ignore_above: 1024 level: extended name: timezone - order: 14 + order: 15 short: Event time zone. type: keyword event.type: diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 2fce418d1d..b1db74c48b 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -960,7 +960,7 @@ event: flat_name: event.created level: core name: created - order: 15 + order: 16 short: Time when the event was first read by an agent or by your pipeline. type: date dataset: @@ -1000,7 +1000,7 @@ event: flat_name: event.end level: extended name: end - order: 17 + order: 18 short: event.end contains the date when the event ended or when the activity was last observed. type: date @@ -1107,7 +1107,7 @@ event: flat_name: event.risk_score level: core name: risk_score - order: 18 + order: 19 short: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -1120,9 +1120,20 @@ event: flat_name: event.risk_score_norm level: extended name: risk_score_norm - order: 19 + order: 20 short: Normalized risk score or priority of the event (0-100). type: float + sequence: + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regarless of the timestamp precision.' + flat_name: event.sequence + level: extended + name: sequence + order: 14 + short: Sequence number of the event. + type: long severity: description: Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's @@ -1140,7 +1151,7 @@ event: flat_name: event.start level: extended name: start - order: 16 + order: 17 short: event.start contains the date when the event started or when the activity was first observed. type: date @@ -1155,7 +1166,7 @@ event: ignore_above: 1024 level: extended name: timezone - order: 14 + order: 15 short: Event time zone. type: keyword type: diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index e9edb4d693..f061721c4a 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -407,6 +407,9 @@ "risk_score_norm": { "type": "float" }, + "sequence": { + "type": "long" + }, "severity": { "type": "long" }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 9146fb5af5..f4419415f0 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -406,6 +406,9 @@ "risk_score_norm": { "type": "float" }, + "sequence": { + "type": "long" + }, "severity": { "type": "long" }, diff --git a/generated/legacy/template.json b/generated/legacy/template.json index 9f78fb515b..2b1c553038 100644 --- a/generated/legacy/template.json +++ b/generated/legacy/template.json @@ -265,6 +265,9 @@ "risk_score_norm": { "type": "float" }, + "sequence": { + "type": "long" + }, "severity": { "type": "long" }, diff --git a/schemas/event.yml b/schemas/event.yml index fb074cc286..f994bd5ad1 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -194,6 +194,16 @@ If event.start and event.end are known this value should be the difference between the end and start time. + - name: sequence + level: extended + type: long + short: Sequence number of the event. + description: > + Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regarless of the timestamp precision. + - name: timezone level: extended type: keyword From 9ea89c55b304b25cd211dad945b1086e822b09c5 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 23 Apr 2019 16:13:08 -0400 Subject: [PATCH 5/7] Remove unnecessary words from event.sequence definition --- code/go/ecs/event.go | 13 ++++++------- docs/field-details.asciidoc | 4 ++-- generated/beats/fields.ecs.yml | 10 +++++----- generated/ecs/ecs_flat.yml | 13 ++++++------- generated/ecs/ecs_nested.yml | 10 +++++----- schemas/event.yml | 10 +++++----- 6 files changed, 29 insertions(+), 31 deletions(-) diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go index 2e5538e6d0..c36466c726 100644 --- a/code/go/ecs/event.go +++ b/code/go/ecs/event.go @@ -78,8 +78,8 @@ type Event struct { // Name of the module this data is coming from. // If your monitoring agent supports the concept of modules or plugins to - // parse events of a given source (e.g. Apache logs), `event.module` should - // contain the name of this module. + // process events of a given source (e.g. Apache logs), `event.module` + // should contain the name of this module. Module string `ecs:"module"` // Name of the dataset. @@ -91,11 +91,10 @@ type Event struct { Dataset string `ecs:"dataset"` // Source of the event. - // Event transports such as Syslog or the Windows Event Log typically have - // a single field about the source of an event. It can be the name of the - // software that generated the event (e.g. Sysmon, httpd), or of a - // subsystem of the operating system (kernel, - // Microsoft-Windows-Security-Auditing). + // Event transports such as Syslog or the Windows Event Log typically + // mention the source of an event. It can be the name of the software that + // generated the event (e.g. Sysmon, httpd), or of a subsystem of the + // operating system (kernel, Microsoft-Windows-Security-Auditing). Provider string `ecs:"provider"` // Severity describes the original severity of the event. What the diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 7bc059dfe1..123664bb88 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -813,7 +813,7 @@ example: `state` | event.module | Name of the module this data is coming from. -If your monitoring agent supports the concept of modules or plugins to parse events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. +If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. type: keyword @@ -852,7 +852,7 @@ example: `success` | event.provider | Source of the event. -Event transports such as Syslog or the Windows Event Log typically have a single field about the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). +Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). type: keyword diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 5fde0d0753..c1738706c4 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -666,7 +666,7 @@ ignore_above: 1024 description: 'Name of the module this data is coming from. - If your monitoring agent supports the concept of modules or plugins to parse + If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.' example: apache @@ -697,10 +697,10 @@ ignore_above: 1024 description: 'Source of the event. - Event transports such as Syslog or the Windows Event Log typically have a - single field about the source of an event. It can be the name of the software - that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating - system (kernel, Microsoft-Windows-Security-Auditing).' + Event transports such as Syslog or the Windows Event Log typically mention + the source of an event. It can be the name of the software that generated + the event (e.g. Sysmon, httpd), or of a subsystem of the operating system + (kernel, Microsoft-Windows-Security-Auditing).' example: kernel - name: risk_score level: core diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index e049c47bce..c27e4fc780 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -870,9 +870,9 @@ event.kind: event.module: description: 'Name of the module this data is coming from. - If your monitoring agent supports the concept of modules or plugins to parse events - of a given source (e.g. Apache logs), `event.module` should contain the name of - this module.' + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain the + name of this module.' example: apache flat_name: event.module ignore_above: 1024 @@ -915,10 +915,9 @@ event.outcome: event.provider: description: 'Source of the event. - Event transports such as Syslog or the Windows Event Log typically have a single - field about the source of an event. It can be the name of the software that generated - the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, - Microsoft-Windows-Security-Auditing).' + Event transports such as Syslog or the Windows Event Log typically mention the + source of an event. It can be the name of the software that generated the event + (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel flat_name: event.provider ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index b1db74c48b..776c71991f 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1044,7 +1044,7 @@ event: module: description: 'Name of the module this data is coming from. - If your monitoring agent supports the concept of modules or plugins to parse + If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.' example: apache @@ -1089,10 +1089,10 @@ event: provider: description: 'Source of the event. - Event transports such as Syslog or the Windows Event Log typically have a - single field about the source of an event. It can be the name of the software - that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating - system (kernel, Microsoft-Windows-Security-Auditing).' + Event transports such as Syslog or the Windows Event Log typically mention + the source of an event. It can be the name of the software that generated + the event (e.g. Sysmon, httpd), or of a subsystem of the operating system + (kernel, Microsoft-Windows-Security-Auditing).' example: kernel flat_name: event.provider ignore_above: 1024 diff --git a/schemas/event.yml b/schemas/event.yml index f994bd5ad1..e0d1066634 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -108,9 +108,9 @@ description: > Name of the module this data is coming from. - If your monitoring agent supports the concept of modules or plugins to parse events - of a given source (e.g. Apache logs), `event.module` should contain the name - of this module. + If your monitoring agent supports the concept of modules or plugins to + process events of a given source (e.g. Apache logs), + `event.module` should contain the name of this module. example: apache - name: dataset @@ -135,8 +135,8 @@ description: > Source of the event. - Event transports such as Syslog or the Windows Event Log typically have - a single field about the source of an event. It can be the name of the + Event transports such as Syslog or the Windows Event Log typically + mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). From dcd6fac8f9cfa4222d0f748d3e6f03905b38326b Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 23 Apr 2019 16:22:44 -0400 Subject: [PATCH 6/7] Changelog --- CHANGELOG.next.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 13629f4c09..248375c72e 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -13,6 +13,7 @@ * Generator for the asciidoc rendering of field definitions. #347 * Generator for the Beats fields.ecs.yml file. #379 * Added field formats to all `.bytes` fields and `event.duration`. #385 +* Added `event.code`, `event.sequence` and `event.provider`. #439 ### Improvements From cecfa58a94d70ac028155c2009e42b8f260b3e67 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 24 Apr 2019 09:43:45 -0400 Subject: [PATCH 7/7] Small rewording of the event.dataset definition --- code/go/ecs/event.go | 4 ++-- docs/field-details.asciidoc | 2 +- generated/beats/fields.ecs.yml | 3 ++- generated/ecs/ecs_flat.yml | 2 +- generated/ecs/ecs_nested.yml | 3 ++- schemas/event.yml | 2 +- 6 files changed, 9 insertions(+), 7 deletions(-) diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go index c36466c726..f43b4f8f0a 100644 --- a/code/go/ecs/event.go +++ b/code/go/ecs/event.go @@ -84,8 +84,8 @@ type Event struct { // Name of the dataset. // If an event source publishes more than one type of log or events (e.g. - // access log, error log), the dataset is used to specify which dataset - // this comes from. + // access log, error log), the dataset is used to specify which one the + // event comes from. // It's recommended but not required to start the dataset name with the // module name, followed by a dot, then the dataset name. Dataset string `ecs:"dataset"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 123664bb88..921f04912a 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -739,7 +739,7 @@ type: date | event.dataset | Name of the dataset. -If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which dataset this comes from. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index c1738706c4..f793750386 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -615,7 +615,8 @@ description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access - log, error log), the dataset is used to specify which dataset this comes from. + log, error log), the dataset is used to specify which one the event comes + from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index c27e4fc780..1de6bb2d69 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -793,7 +793,7 @@ event.dataset: description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access - log, error log), the dataset is used to specify which dataset this comes from. + log, error log), the dataset is used to specify which one the event comes from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 776c71991f..9e1d5f0a84 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -967,7 +967,8 @@ event: description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access - log, error log), the dataset is used to specify which dataset this comes from. + log, error log), the dataset is used to specify which one the event comes + from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' diff --git a/schemas/event.yml b/schemas/event.yml index e0d1066634..2e904fa96a 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -122,7 +122,7 @@ If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which - dataset this comes from. + one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.