From 8176d5488d4c623b903c9702e78804b50d5b9047 Mon Sep 17 00:00:00 2001 From: Felix Barnsteiner Date: Wed, 14 Aug 2019 11:16:46 +0200 Subject: [PATCH 1/6] Add event.component used for the logger name --- code/go/ecs/event.go | 6 ++++ docs/field-details.asciidoc | 13 +++++++++ generated/beats/fields.ecs.yml | 10 +++++++ generated/csv/fields.csv | 1 + generated/ecs/ecs_flat.yml | 38 +++++++++++++++++-------- generated/ecs/ecs_nested.yml | 38 +++++++++++++++++-------- generated/elasticsearch/6/template.json | 4 +++ generated/elasticsearch/7/template.json | 4 +++ generated/legacy/template.json | 4 +++ schema.json | 10 +++++++ schemas/event.yml | 12 ++++++++ 11 files changed, 116 insertions(+), 24 deletions(-) diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go index f43b4f8f0a..6f96040c3b 100644 --- a/code/go/ecs/event.go +++ b/code/go/ecs/event.go @@ -90,6 +90,12 @@ type Event struct { // module name, followed by a dot, then the dataset name. Dataset string `ecs:"dataset"` + // Name of the component. + // Similar to dataset but more fine-grained. It is used, for example, to + // store the name of the logger, which is usually the name of the class + // which initialized the logger. + Component string `ecs:"component"` + // Source of the event. // Event transports such as Syslog or the Windows Event Log typically // mention the source of an event. It can be the name of the software that diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 22f78abb4d..5b507c16ef 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -829,6 +829,19 @@ example: `4648` // =============================================================== +| event.component +| Name of the component. + +Similar to dataset but more fine-grained. It is used, for example, to store the name of the logger, which is usually the name of the class which initialized the logger. + +type: keyword + +example: `org.elasticsearch.bootstrap.Bootstrap` + +| core + +// =============================================================== + | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 03e323df22..4c9b8d7126 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -683,6 +683,16 @@ of message language or wording adjustments over time. An example of this is the Windows Event ID.' example: 4648 + - name: component + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the component. + + Similar to dataset but more fine-grained. It is used, for example, to store + the name of the logger, which is usually the name of the class which initialized + the logger.' + example: org.elasticsearch.bootstrap.Bootstrap - name: created level: core type: date diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index c6fb2d2db6..e5319bccf5 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -84,6 +84,7 @@ error.message,text,core,,1.1.0-dev event.action,keyword,core,user-password-change,1.1.0-dev event.category,keyword,core,user-management,1.1.0-dev event.code,keyword,extended,4648,1.1.0-dev +event.component,keyword,core,org.elasticsearch.bootstrap.Bootstrap,1.1.0-dev event.created,date,core,,1.1.0-dev event.dataset,keyword,core,apache.access,1.1.0-dev event.duration,long,core,,1.1.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 1ccb6835ef..0673fd6cbc 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -908,6 +908,20 @@ event.code: order: 1 short: Identification code for this event. type: keyword +event.component: + description: 'Name of the component. + + Similar to dataset but more fine-grained. It is used, for example, to store the + name of the logger, which is usually the name of the class which initialized the + logger.' + example: org.elasticsearch.bootstrap.Bootstrap + flat_name: event.component + ignore_above: 1024 + level: core + name: component + order: 9 + short: Name of the component. + type: keyword event.created: description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. @@ -924,7 +938,7 @@ event.created: flat_name: event.created level: core name: created - order: 16 + order: 17 short: Time when the event was first read by an agent or by your pipeline. type: date event.dataset: @@ -953,7 +967,7 @@ event.duration: input_format: nanoseconds level: core name: duration - order: 13 + order: 14 output_format: asMilliseconds output_precision: 1 short: Duration of the event in nanoseconds. @@ -964,7 +978,7 @@ event.end: flat_name: event.end level: extended name: end - order: 18 + order: 19 short: event.end contains the date when the event ended or when the activity was last observed. type: date @@ -976,7 +990,7 @@ event.hash: ignore_above: 1024 level: extended name: hash - order: 12 + order: 13 short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. type: keyword @@ -1032,7 +1046,7 @@ event.original: index: false level: core name: original - order: 11 + order: 12 short: Raw text message of entire event. type: keyword event.outcome: @@ -1061,7 +1075,7 @@ event.provider: ignore_above: 1024 level: extended name: provider - order: 9 + order: 10 short: Source of the event. type: keyword event.risk_score: @@ -1070,7 +1084,7 @@ event.risk_score: flat_name: event.risk_score level: core name: risk_score - order: 19 + order: 20 short: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -1083,7 +1097,7 @@ event.risk_score_norm: flat_name: event.risk_score_norm level: extended name: risk_score_norm - order: 20 + order: 21 short: Normalized risk score or priority of the event (0-100). type: float event.sequence: @@ -1095,7 +1109,7 @@ event.sequence: format: string level: extended name: sequence - order: 14 + order: 15 short: Sequence number of the event. type: long event.severity: @@ -1107,7 +1121,7 @@ event.severity: format: string level: core name: severity - order: 10 + order: 11 short: Original severity of the event. type: long event.start: @@ -1116,7 +1130,7 @@ event.start: flat_name: event.start level: extended name: start - order: 17 + order: 18 short: event.start contains the date when the event started or when the activity was first observed. type: date @@ -1131,7 +1145,7 @@ event.timezone: ignore_above: 1024 level: extended name: timezone - order: 15 + order: 16 short: Event time zone. type: keyword event.type: diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index cf8f18562e..fec85bda9a 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1103,6 +1103,20 @@ event: order: 1 short: Identification code for this event. type: keyword + component: + description: 'Name of the component. + + Similar to dataset but more fine-grained. It is used, for example, to store + the name of the logger, which is usually the name of the class which initialized + the logger.' + example: org.elasticsearch.bootstrap.Bootstrap + flat_name: event.component + ignore_above: 1024 + level: core + name: component + order: 9 + short: Name of the component. + type: keyword created: description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. @@ -1119,7 +1133,7 @@ event: flat_name: event.created level: core name: created - order: 16 + order: 17 short: Time when the event was first read by an agent or by your pipeline. type: date dataset: @@ -1149,7 +1163,7 @@ event: input_format: nanoseconds level: core name: duration - order: 13 + order: 14 output_format: asMilliseconds output_precision: 1 short: Duration of the event in nanoseconds. @@ -1160,7 +1174,7 @@ event: flat_name: event.end level: extended name: end - order: 18 + order: 19 short: event.end contains the date when the event ended or when the activity was last observed. type: date @@ -1172,7 +1186,7 @@ event: ignore_above: 1024 level: extended name: hash - order: 12 + order: 13 short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. type: keyword @@ -1228,7 +1242,7 @@ event: index: false level: core name: original - order: 11 + order: 12 short: Raw text message of entire event. type: keyword outcome: @@ -1258,7 +1272,7 @@ event: ignore_above: 1024 level: extended name: provider - order: 9 + order: 10 short: Source of the event. type: keyword risk_score: @@ -1267,7 +1281,7 @@ event: flat_name: event.risk_score level: core name: risk_score - order: 19 + order: 20 short: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -1280,7 +1294,7 @@ event: flat_name: event.risk_score_norm level: extended name: risk_score_norm - order: 20 + order: 21 short: Normalized risk score or priority of the event (0-100). type: float sequence: @@ -1292,7 +1306,7 @@ event: format: string level: extended name: sequence - order: 14 + order: 15 short: Sequence number of the event. type: long severity: @@ -1304,7 +1318,7 @@ event: format: string level: core name: severity - order: 10 + order: 11 short: Original severity of the event. type: long start: @@ -1313,7 +1327,7 @@ event: flat_name: event.start level: extended name: start - order: 17 + order: 18 short: event.start contains the date when the event started or when the activity was first observed. type: date @@ -1328,7 +1342,7 @@ event: ignore_above: 1024 level: extended name: timezone - order: 15 + order: 16 short: Event time zone. type: keyword type: diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 3976add917..e944fdc759 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -431,6 +431,10 @@ "ignore_above": 1024, "type": "keyword" }, + "component": { + "ignore_above": 1024, + "type": "keyword" + }, "created": { "type": "date" }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index d901f896dc..13e5c35823 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -430,6 +430,10 @@ "ignore_above": 1024, "type": "keyword" }, + "component": { + "ignore_above": 1024, + "type": "keyword" + }, "created": { "type": "date" }, diff --git a/generated/legacy/template.json b/generated/legacy/template.json index c728fecef3..7d352a9ed4 100644 --- a/generated/legacy/template.json +++ b/generated/legacy/template.json @@ -251,6 +251,10 @@ "ignore_above": 1024, "type": "keyword" }, + "component": { + "ignore_above": 1024, + "type": "keyword" + }, "created": { "type": "date" }, diff --git a/schema.json b/schema.json index 281bf8376a..153207b42d 100644 --- a/schema.json +++ b/schema.json @@ -573,6 +573,16 @@ "required": false, "type": "keyword" }, + "event.component": { + "description": "Name of the component.\nSimilar to dataset but more fine-grained. It is used, for example, to store the name of the logger, which is usually the name of the class which initialized the logger.", + "example": "org.elasticsearch.bootstrap.Bootstrap", + "footnote": "", + "group": 2, + "level": "core", + "name": "event.component", + "required": false, + "type": "keyword" + }, "event.created": { "description": "event.created contains the date/time when the event was first read by an agent, or by your pipeline.\nThis field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.\nIn most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.\nIn case the two timestamps are identical, @timestamp should be used.", "example": "", diff --git a/schemas/event.yml b/schemas/event.yml index 474e006d80..65fb9d64e5 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -128,6 +128,18 @@ the module name, followed by a dot, then the dataset name. example: apache.access + - name: component + level: core + type: keyword + short: Name of the component. + description: > + Name of the component. + + Similar to dataset but more fine-grained. + It is used, for example, to store the name of the logger, + which is usually the name of the class which initialized the logger. + example: org.elasticsearch.bootstrap.Bootstrap + - name: provider level: extended type: keyword From c808a33c640a61bf76c498ee840c7aba88f81992 Mon Sep 17 00:00:00 2001 From: Felix Barnsteiner Date: Wed, 14 Aug 2019 13:50:09 +0200 Subject: [PATCH 2/6] Revert "Add event.component used for the logger name" This reverts commit 8176d5488d4c623b903c9702e78804b50d5b9047. --- code/go/ecs/event.go | 6 ---- docs/field-details.asciidoc | 13 --------- generated/beats/fields.ecs.yml | 10 ------- generated/csv/fields.csv | 1 - generated/ecs/ecs_flat.yml | 38 ++++++++----------------- generated/ecs/ecs_nested.yml | 38 ++++++++----------------- generated/elasticsearch/6/template.json | 4 --- generated/elasticsearch/7/template.json | 4 --- generated/legacy/template.json | 4 --- schema.json | 10 ------- schemas/event.yml | 12 -------- 11 files changed, 24 insertions(+), 116 deletions(-) diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go index 6f96040c3b..f43b4f8f0a 100644 --- a/code/go/ecs/event.go +++ b/code/go/ecs/event.go @@ -90,12 +90,6 @@ type Event struct { // module name, followed by a dot, then the dataset name. Dataset string `ecs:"dataset"` - // Name of the component. - // Similar to dataset but more fine-grained. It is used, for example, to - // store the name of the logger, which is usually the name of the class - // which initialized the logger. - Component string `ecs:"component"` - // Source of the event. // Event transports such as Syslog or the Windows Event Log typically // mention the source of an event. It can be the name of the software that diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 5b507c16ef..22f78abb4d 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -829,19 +829,6 @@ example: `4648` // =============================================================== -| event.component -| Name of the component. - -Similar to dataset but more fine-grained. It is used, for example, to store the name of the logger, which is usually the name of the class which initialized the logger. - -type: keyword - -example: `org.elasticsearch.bootstrap.Bootstrap` - -| core - -// =============================================================== - | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 4c9b8d7126..03e323df22 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -683,16 +683,6 @@ of message language or wording adjustments over time. An example of this is the Windows Event ID.' example: 4648 - - name: component - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the component. - - Similar to dataset but more fine-grained. It is used, for example, to store - the name of the logger, which is usually the name of the class which initialized - the logger.' - example: org.elasticsearch.bootstrap.Bootstrap - name: created level: core type: date diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index e5319bccf5..c6fb2d2db6 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -84,7 +84,6 @@ error.message,text,core,,1.1.0-dev event.action,keyword,core,user-password-change,1.1.0-dev event.category,keyword,core,user-management,1.1.0-dev event.code,keyword,extended,4648,1.1.0-dev -event.component,keyword,core,org.elasticsearch.bootstrap.Bootstrap,1.1.0-dev event.created,date,core,,1.1.0-dev event.dataset,keyword,core,apache.access,1.1.0-dev event.duration,long,core,,1.1.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 0673fd6cbc..1ccb6835ef 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -908,20 +908,6 @@ event.code: order: 1 short: Identification code for this event. type: keyword -event.component: - description: 'Name of the component. - - Similar to dataset but more fine-grained. It is used, for example, to store the - name of the logger, which is usually the name of the class which initialized the - logger.' - example: org.elasticsearch.bootstrap.Bootstrap - flat_name: event.component - ignore_above: 1024 - level: core - name: component - order: 9 - short: Name of the component. - type: keyword event.created: description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. @@ -938,7 +924,7 @@ event.created: flat_name: event.created level: core name: created - order: 17 + order: 16 short: Time when the event was first read by an agent or by your pipeline. type: date event.dataset: @@ -967,7 +953,7 @@ event.duration: input_format: nanoseconds level: core name: duration - order: 14 + order: 13 output_format: asMilliseconds output_precision: 1 short: Duration of the event in nanoseconds. @@ -978,7 +964,7 @@ event.end: flat_name: event.end level: extended name: end - order: 19 + order: 18 short: event.end contains the date when the event ended or when the activity was last observed. type: date @@ -990,7 +976,7 @@ event.hash: ignore_above: 1024 level: extended name: hash - order: 13 + order: 12 short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. type: keyword @@ -1046,7 +1032,7 @@ event.original: index: false level: core name: original - order: 12 + order: 11 short: Raw text message of entire event. type: keyword event.outcome: @@ -1075,7 +1061,7 @@ event.provider: ignore_above: 1024 level: extended name: provider - order: 10 + order: 9 short: Source of the event. type: keyword event.risk_score: @@ -1084,7 +1070,7 @@ event.risk_score: flat_name: event.risk_score level: core name: risk_score - order: 20 + order: 19 short: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -1097,7 +1083,7 @@ event.risk_score_norm: flat_name: event.risk_score_norm level: extended name: risk_score_norm - order: 21 + order: 20 short: Normalized risk score or priority of the event (0-100). type: float event.sequence: @@ -1109,7 +1095,7 @@ event.sequence: format: string level: extended name: sequence - order: 15 + order: 14 short: Sequence number of the event. type: long event.severity: @@ -1121,7 +1107,7 @@ event.severity: format: string level: core name: severity - order: 11 + order: 10 short: Original severity of the event. type: long event.start: @@ -1130,7 +1116,7 @@ event.start: flat_name: event.start level: extended name: start - order: 18 + order: 17 short: event.start contains the date when the event started or when the activity was first observed. type: date @@ -1145,7 +1131,7 @@ event.timezone: ignore_above: 1024 level: extended name: timezone - order: 16 + order: 15 short: Event time zone. type: keyword event.type: diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index fec85bda9a..cf8f18562e 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1103,20 +1103,6 @@ event: order: 1 short: Identification code for this event. type: keyword - component: - description: 'Name of the component. - - Similar to dataset but more fine-grained. It is used, for example, to store - the name of the logger, which is usually the name of the class which initialized - the logger.' - example: org.elasticsearch.bootstrap.Bootstrap - flat_name: event.component - ignore_above: 1024 - level: core - name: component - order: 9 - short: Name of the component. - type: keyword created: description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. @@ -1133,7 +1119,7 @@ event: flat_name: event.created level: core name: created - order: 17 + order: 16 short: Time when the event was first read by an agent or by your pipeline. type: date dataset: @@ -1163,7 +1149,7 @@ event: input_format: nanoseconds level: core name: duration - order: 14 + order: 13 output_format: asMilliseconds output_precision: 1 short: Duration of the event in nanoseconds. @@ -1174,7 +1160,7 @@ event: flat_name: event.end level: extended name: end - order: 19 + order: 18 short: event.end contains the date when the event ended or when the activity was last observed. type: date @@ -1186,7 +1172,7 @@ event: ignore_above: 1024 level: extended name: hash - order: 13 + order: 12 short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. type: keyword @@ -1242,7 +1228,7 @@ event: index: false level: core name: original - order: 12 + order: 11 short: Raw text message of entire event. type: keyword outcome: @@ -1272,7 +1258,7 @@ event: ignore_above: 1024 level: extended name: provider - order: 10 + order: 9 short: Source of the event. type: keyword risk_score: @@ -1281,7 +1267,7 @@ event: flat_name: event.risk_score level: core name: risk_score - order: 20 + order: 19 short: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -1294,7 +1280,7 @@ event: flat_name: event.risk_score_norm level: extended name: risk_score_norm - order: 21 + order: 20 short: Normalized risk score or priority of the event (0-100). type: float sequence: @@ -1306,7 +1292,7 @@ event: format: string level: extended name: sequence - order: 15 + order: 14 short: Sequence number of the event. type: long severity: @@ -1318,7 +1304,7 @@ event: format: string level: core name: severity - order: 11 + order: 10 short: Original severity of the event. type: long start: @@ -1327,7 +1313,7 @@ event: flat_name: event.start level: extended name: start - order: 18 + order: 17 short: event.start contains the date when the event started or when the activity was first observed. type: date @@ -1342,7 +1328,7 @@ event: ignore_above: 1024 level: extended name: timezone - order: 16 + order: 15 short: Event time zone. type: keyword type: diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index e944fdc759..3976add917 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -431,10 +431,6 @@ "ignore_above": 1024, "type": "keyword" }, - "component": { - "ignore_above": 1024, - "type": "keyword" - }, "created": { "type": "date" }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 13e5c35823..d901f896dc 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -430,10 +430,6 @@ "ignore_above": 1024, "type": "keyword" }, - "component": { - "ignore_above": 1024, - "type": "keyword" - }, "created": { "type": "date" }, diff --git a/generated/legacy/template.json b/generated/legacy/template.json index 7d352a9ed4..c728fecef3 100644 --- a/generated/legacy/template.json +++ b/generated/legacy/template.json @@ -251,10 +251,6 @@ "ignore_above": 1024, "type": "keyword" }, - "component": { - "ignore_above": 1024, - "type": "keyword" - }, "created": { "type": "date" }, diff --git a/schema.json b/schema.json index 153207b42d..281bf8376a 100644 --- a/schema.json +++ b/schema.json @@ -573,16 +573,6 @@ "required": false, "type": "keyword" }, - "event.component": { - "description": "Name of the component.\nSimilar to dataset but more fine-grained. It is used, for example, to store the name of the logger, which is usually the name of the class which initialized the logger.", - "example": "org.elasticsearch.bootstrap.Bootstrap", - "footnote": "", - "group": 2, - "level": "core", - "name": "event.component", - "required": false, - "type": "keyword" - }, "event.created": { "description": "event.created contains the date/time when the event was first read by an agent, or by your pipeline.\nThis field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.\nIn most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.\nIn case the two timestamps are identical, @timestamp should be used.", "example": "", diff --git a/schemas/event.yml b/schemas/event.yml index 65fb9d64e5..474e006d80 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -128,18 +128,6 @@ the module name, followed by a dot, then the dataset name. example: apache.access - - name: component - level: core - type: keyword - short: Name of the component. - description: > - Name of the component. - - Similar to dataset but more fine-grained. - It is used, for example, to store the name of the logger, - which is usually the name of the class which initialized the logger. - example: org.elasticsearch.bootstrap.Bootstrap - - name: provider level: extended type: keyword From 3c9ffc3dcf2b52e7ff5b9e9d648012c3d155e8d3 Mon Sep 17 00:00:00 2001 From: Felix Barnsteiner Date: Wed, 14 Aug 2019 13:54:24 +0200 Subject: [PATCH 3/6] Add log.logger --- code/go/ecs/log.go | 4 ++++ docs/field-details.asciidoc | 11 +++++++++++ generated/beats/fields.ecs.yml | 7 +++++++ generated/csv/fields.csv | 1 + generated/ecs/ecs_flat.yml | 11 +++++++++++ generated/ecs/ecs_nested.yml | 11 +++++++++++ generated/elasticsearch/6/template.json | 4 ++++ generated/elasticsearch/7/template.json | 4 ++++ generated/legacy/template.json | 4 ++++ schema.json | 10 ++++++++++ schemas/log.yml | 8 ++++++++ 11 files changed, 75 insertions(+) diff --git a/code/go/ecs/log.go b/code/go/ecs/log.go index 11f3ab8feb..b23ae4474e 100644 --- a/code/go/ecs/log.go +++ b/code/go/ecs/log.go @@ -34,4 +34,8 @@ type Log struct { // This field is not indexed and doc_values are disabled so it can't be // queried but the value can be retrieved from `_source`. Original string `ecs:"original"` + + // The name of the logger, usually the name of the class which initialized + // the logger. + Logger string `ecs:"logger"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 22f78abb4d..8473ffb11f 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1842,6 +1842,17 @@ example: `err` // =============================================================== +| log.logger +| The name of the logger, usually the name of the class which initialized the logger. + +type: keyword + +example: `org.elasticsearch.bootstrap.Bootstrap` + +| core + +// =============================================================== + | log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 03e323df22..3824055848 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1378,6 +1378,13 @@ Some examples are `warn`, `error`, `i`.' example: err + - name: logger + level: core + type: keyword + ignore_above: 1024 + description: The name of the logger, usually the name of the class which initialized + the logger. + example: org.elasticsearch.bootstrap.Bootstrap - name: original level: core type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index c6fb2d2db6..56f46cb973 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -179,6 +179,7 @@ http.response.bytes,long,extended,1437,1.1.0-dev http.response.status_code,long,extended,404,1.1.0-dev http.version,keyword,extended,1.1,1.1.0-dev log.level,keyword,core,err,1.1.0-dev +log.logger,keyword,core,org.elasticsearch.bootstrap.Bootstrap,1.1.0-dev log.original,keyword,core,Sep 19 08:26:10 localhost My log,1.1.0-dev network.application,keyword,extended,aim,1.1.0-dev network.bytes,long,core,368,1.1.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 1ccb6835ef..fa4852398a 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1966,6 +1966,17 @@ log.level: order: 0 short: Log level of the log event. type: keyword +log.logger: + description: The name of the logger, usually the name of the class which initialized + the logger. + example: org.elasticsearch.bootstrap.Bootstrap + flat_name: log.logger + ignore_above: 1024 + level: core + name: logger + order: 2 + short: Name of the logger. + type: keyword log.original: description: 'This is the original log message and contains the full log message before splitting it up in multiple parts. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index cf8f18562e..e021c8fd7f 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2255,6 +2255,17 @@ log: order: 0 short: Log level of the log event. type: keyword + logger: + description: The name of the logger, usually the name of the class which initialized + the logger. + example: org.elasticsearch.bootstrap.Bootstrap + flat_name: log.logger + ignore_above: 1024 + level: core + name: logger + order: 2 + short: Name of the logger. + type: keyword original: description: 'This is the original log message and contains the full log message before splitting it up in multiple parts. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 3976add917..022ab93eb8 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -858,6 +858,10 @@ "ignore_above": 1024, "type": "keyword" }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, "original": { "doc_values": false, "ignore_above": 1024, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index d901f896dc..3a2b853572 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -857,6 +857,10 @@ "ignore_above": 1024, "type": "keyword" }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, "original": { "doc_values": false, "ignore_above": 1024, diff --git a/generated/legacy/template.json b/generated/legacy/template.json index c728fecef3..392bc223f1 100644 --- a/generated/legacy/template.json +++ b/generated/legacy/template.json @@ -555,6 +555,10 @@ "ignore_above": 1024, "type": "keyword" }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, "original": { "doc_values": false, "ignore_above": 1024, diff --git a/schema.json b/schema.json index 281bf8376a..0b105f7f46 100644 --- a/schema.json +++ b/schema.json @@ -1326,6 +1326,16 @@ "required": false, "type": "keyword" }, + "log.logger": { + "description": "The name of the logger, usually the name of the class which initialized the logger.", + "example": "org.elasticsearch.bootstrap.Bootstrap", + "footnote": "", + "group": 2, + "level": "core", + "name": "log.logger", + "required": false, + "type": "keyword" + }, "log.original": { "description": "This is the original log message and contains the full log message before splitting it up in multiple parts.\nIn contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message.\nThis field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`.", "example": "Sep 19 08:26:10 localhost My log", diff --git a/schemas/log.yml b/schemas/log.yml index 2a0a5e235c..d079c5be3f 100644 --- a/schemas/log.yml +++ b/schemas/log.yml @@ -35,3 +35,11 @@ This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. + + - name: logger + level: core + type: keyword + example: org.elasticsearch.bootstrap.Bootstrap + short: Name of the logger. + description: > + The name of the logger, usually the name of the class which initialized the logger. From 34e67f1a4319e5f6f82a3cda01d82c78f4827989 Mon Sep 17 00:00:00 2001 From: Felix Barnsteiner Date: Fri, 16 Aug 2019 11:34:16 +0200 Subject: [PATCH 4/6] Add changelog --- CHANGELOG.next.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index ca7307fcd1..1a1ef36383 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -15,6 +15,7 @@ * Added `domain` field to user. #486 * Added `.nat.ip` and `.nat.port` to `source`, `destination`, `client` and `server`. #491 * Added `as` fields for Autonomous System information (i.e. ASN). #341 +* Added `log.logger` field. #521 ### Improvements From 345f93f3d8405fd38b28809158e1edc761edd91a Mon Sep 17 00:00:00 2001 From: Felix Barnsteiner Date: Fri, 16 Aug 2019 15:10:31 +0200 Subject: [PATCH 5/6] Apply suggestions from code review Co-Authored-By: Mathieu Martin --- schemas/log.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/log.yml b/schemas/log.yml index d079c5be3f..3bc05c30a2 100644 --- a/schemas/log.yml +++ b/schemas/log.yml @@ -42,4 +42,4 @@ example: org.elasticsearch.bootstrap.Bootstrap short: Name of the logger. description: > - The name of the logger, usually the name of the class which initialized the logger. + The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. From 61bbacc3c127c62462eb0e4d8a361778bfbe6ba8 Mon Sep 17 00:00:00 2001 From: Felix Barnsteiner Date: Fri, 16 Aug 2019 15:31:41 +0200 Subject: [PATCH 6/6] Update generated documentation --- code/go/ecs/log.go | 4 ++-- docs/field-details.asciidoc | 2 +- generated/beats/fields.ecs.yml | 4 ++-- generated/ecs/ecs_flat.yml | 4 ++-- generated/ecs/ecs_nested.yml | 4 ++-- schema.json | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/code/go/ecs/log.go b/code/go/ecs/log.go index b23ae4474e..492319a8b8 100644 --- a/code/go/ecs/log.go +++ b/code/go/ecs/log.go @@ -35,7 +35,7 @@ type Log struct { // queried but the value can be retrieved from `_source`. Original string `ecs:"original"` - // The name of the logger, usually the name of the class which initialized - // the logger. + // The name of the logger inside an application. This is usually the name + // of the class which initialized the logger, or can be a custom name. Logger string `ecs:"logger"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index f1298c5f3e..cbdba72a43 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1843,7 +1843,7 @@ example: `err` // =============================================================== | log.logger -| The name of the logger, usually the name of the class which initialized the logger. +| The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. type: keyword diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 8128b7af9c..e775db6cec 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1382,8 +1382,8 @@ level: core type: keyword ignore_above: 1024 - description: The name of the logger, usually the name of the class which initialized - the logger. + description: The name of the logger inside an application. This is usually the + name of the class which initialized the logger, or can be a custom name. example: org.elasticsearch.bootstrap.Bootstrap - name: original level: core diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index fa4852398a..1b6b9e5b45 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1967,8 +1967,8 @@ log.level: short: Log level of the log event. type: keyword log.logger: - description: The name of the logger, usually the name of the class which initialized - the logger. + description: The name of the logger inside an application. This is usually the name + of the class which initialized the logger, or can be a custom name. example: org.elasticsearch.bootstrap.Bootstrap flat_name: log.logger ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 465c2cc764..303d9db342 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2256,8 +2256,8 @@ log: short: Log level of the log event. type: keyword logger: - description: The name of the logger, usually the name of the class which initialized - the logger. + description: The name of the logger inside an application. This is usually the + name of the class which initialized the logger, or can be a custom name. example: org.elasticsearch.bootstrap.Bootstrap flat_name: log.logger ignore_above: 1024 diff --git a/schema.json b/schema.json index c8c05b2207..bfc0d4a708 100644 --- a/schema.json +++ b/schema.json @@ -1327,7 +1327,7 @@ "type": "keyword" }, "log.logger": { - "description": "The name of the logger, usually the name of the class which initialized the logger.", + "description": "The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.", "example": "org.elasticsearch.bootstrap.Bootstrap", "footnote": "", "group": 2,