Update http and url fields according to ECS

Also loosen the Intake API so that url.port can be a string or a number. It will be indexed as number
elastic · Jan 23, 2019 · beec178 · beec178
1 parent ab98d9e
commit beec178
Show file tree

Hide file tree

Showing 28 changed files with 853 additions and 643 deletions.
diff --git a/_meta/ecs-migration.yml b/_meta/ecs-migration.yml
@@ -17,9 +17,12 @@
 #- from: beat.version
 #  to: observer.version
 #
+
+  # field in ECS, but with a different meaning
 - from: context.service.agent.name
   to: agent.name
-#
+
+  # field in ECS, but with a different meaning
 - from: context.service.agent.version
   to: agent.version
 
@@ -35,42 +38,50 @@
 - from: context.system.platform
   to: host.os.platform
 
-#- from: context.request.method
-#  to: http.request.method
-#
-#- from: context.request.http_version
-#  to: http.version
-#
-#- from: context.request.body
-#  to: http.request.body
-#  index: false
-#
-## Not in ECS
-#- from: context.request.cookies
-#  to: http.request.headers.cookies.parsed
-#  index: false
-#
-## Not in ECS
-#- from: context.request.headers.cookie
-#  to: http.request.headers.cookies.original
-#  index: false
-#
-#- from: context.request.headers.user-agent
-#  to: http.request.headers.user-agent
-#  index: false
-#
-#- from: context.request.headers.content-type
-#  to: http.request.headers.content-type
-#  index: false
-#
-#- from: context.request.env
-#  to: http.request.env
-#  index: false
-#
-#- from: context.request.socket
-#  to: http.request.socket
-#  index: false
-#
+  # from upper case to lower case
+- from: context.request.method
+  to: http.request.method
+
+- from: context.request.http_version
+  to: http.version
+
+  # conflicts with ECS, we can't align on name because we don't index it
+- from: context.request.body
+  to: http.request.body.original
+  index: false
+
+  # not in ECS
+- from: context.request.cookies
+  to: http.request.headers.cookies.parsed
+  index: false
+
+  # not in ECS
+- from: context.request.headers.cookie
+  to: http.request.headers.cookies.original
+  index: false
+
+  # not in ECS
+  # `original` for consistency with root user_agent
+  # dashed for consistency with other headers
+- from: context.request.headers.user-agent
+  to: http.request.headers.user-agent.original
+  index: false
+
+  # not in ECS
+- from: context.request.headers.content-type
+  to: http.request.headers.content-type
+  index: false
+
+  # not in ECS
+- from: context.request.env
+  to: http.request.env
+  index: false
+
+  # not in ECS
+- from: context.request.socket
+  to: http.request.socket
+  index: false
+
 - from: context.process.pid
   to: process.pid
 
@@ -117,53 +128,48 @@
 - from: context.service.version
   to: service.version
 
-#- from: context.request.url.full
-#  to: url.full
+- from: context.request.url.full
+  to: url.full
 
-#
-#- from: context.request.url.hash
-#  to: url.fragment
+- from: context.request.url.hash
+  to: url.fragment
 
-#
-#- from: context.request.url.hostname
-#  to: url.domain
+- from: context.request.url.hostname
+  to: url.domain
 
-#
-#- from: context.request.url.pathname
-#  to: url.path
+- from: context.request.url.pathname
+  to: url.path
 
-#
-#- from: context.request.url.port
-#  to: url.port
+  # from string or number to number
+- from: context.request.url.port
+  to: url.port
 
-#
-#- from: context.request.url.raw
-#  to: url.original
-#  index: false
-#
-#- from: context.request.url.search
-#  to: url.query
+- from: context.request.url.raw
+  to: url.original
+  index: false
 
-#
-#- from: context.request.url.protocol
-#  to: url.scheme
+- from: context.request.url.search
+  to: url.query
 
-#
-#- from: context.response.finished
-#  to: http.response.finished
+- from: context.request.url.protocol
+  to: url.scheme
 
-#
-#- from: context.response.status_code
-#  to: http.response.status_code
+  # not in ECS
+- from: context.response.finished
+  to: http.response.finished
 
-#
-#- from: context.response.headers.content-type
-#  to: http.response.headers.content-type
-#  index: false
-#
-#- from: context.response.headers_sent
-#  to: http.response.headers.sent
-#  index: false
+- from: context.response.status_code
+  to: http.response.status_code
+
+  # not in ECS
+- from: context.response.headers.content-type
+  to: http.response.headers.content-type
+  index: false
+
+  # not in ECS
+- from: context.response.headers_sent
+  to: http.response.headers_sent
+  index: false
 
   # not in ECS
 - from: context.custom
@@ -185,30 +191,25 @@
   to: context.db.content
   index: false
 
-#  # not in ECS
-#- from: context.db.user
-#  to: context.db.user
-#  index: false
-#
-#- from: context.user.email
-#  to: user.email
+  # not in ECS
+- from: context.db.user
+  to: context.db.user
+  index: false
 
-#
-#- from: context.user.id
-#  to: user.id
+- from: context.user.email
+  to: user.email
 
-#
-#- from: context.user.username
-#  to: user.name
+- from: context.user.id
+  to: user.id
 
-#
-#- from: context.user.ip
-#  to: client.ip
+- from: context.user.username
+  to: user.name
 
-#
-#- from: context.user.user-agent
-#  to: user_agent.original.text
+- from: context.user.ip
+  to: client.ip
+
+- from: context.user.user-agent
+  to: user_agent.original
 
-#
 - from: listening
   to: observer.listening