Copy client.ip to source.ip

_meta/fields.common.yml

@@ -524,13 +524,22 @@
       dynamic: false
       type: group
       fields:
+      - name: ip
+        type: ip
+        description: >
+          IP address of the client of a recorded event.
+          This is typically obtained from a request's X-Forwarded-For or the X-Real-IP header or falls back to a given configuration for remote address.
+        overwrite: true
 
+    - name: source
+      dynamic: false
+      type: group
+      fields:
       - name: ip
         type: ip
         description: >
-          IP of the user where the event is recorded, typically a web browser.
-          This is obtained from the X-Forwarded-For header, of which the first entry is the IP of the original client.
-          This value however might not be necessarily trusted, as it can be forged by a malicious user.
+          IP address of the source of a recorded event.
+          This is typically obtained from a request's X-Forwarded-For or the X-Real-IP header or falls back to a given configuration for remote address.
         overwrite: true
 
     - name: user_agent

beater/test_approved_es_documents/TestPublishIntegrationErrors.approved.json

@@ -307,6 +307,9 @@
                 },
                 "version": "5.1.3"
             },
+            "source": {
+                "ip": "12.53.12.1"
+            },
             "timestamp": {
                 "us": 1494342245999999
             },

beater/test_approved_es_documents/TestPublishIntegrationTransactions.approved.json

@@ -253,6 +253,9 @@
                 },
                 "version": "5.1.3"
             },
+            "source": {
+                "ip": "12.53.12.1"
+            },
             "timestamp": {
                 "us": 1496170407154000
             },

changelogs/head.asciidoc

@@ -4,5 +4,6 @@
 [float]
 ==== Added
 - Add `service.node.configured_name` to Intake API and transform to `service.node.name` for ES output {pull}2746[2746].
+- Index value from `client.ip` in `source.ip`for SIEM integration {pull}2771[2771].
 
 https://github.com/elastic/apm-server/compare/7.4\...master[View commits]

docs/data/elasticsearch/generated/errors.json

@@ -290,6 +290,9 @@
                 },
                 "version": "5.1.3"
             },
+            "source": {
+                "ip": "12.53.12.1"
+            },
             "timestamp": {
                 "us": 1494342245999999
             },

docs/data/elasticsearch/generated/transactions.json

@@ -219,6 +219,9 @@
                 },
                 "version": "5.1.3"
             },
+            "source": {
+                "ip": "12.53.12.1"
+            },
             "timestamp": {
                 "us": 1496170407154000
             },

docs/fields.asciidoc

@@ -793,7 +793,18 @@ type: keyword
 *`client.ip`*::
 +
 --
-IP of the user where the event is recorded, typically a web browser. This is obtained from the X-Forwarded-For header, of which the first entry is the IP of the original client. This value however might not be necessarily trusted, as it can be forged by a malicious user.
+IP address of the client of a recorded event. This is typically obtained from a request's X-Forwarded-For or the X-Real-IP header or falls back to a given configuration for remote address.
+
+
+type: ip
+
+--
+
+
+*`source.ip`*::
++
+--
+IP address of the source of a recorded event. This is typically obtained from a request's X-Forwarded-For or the X-Real-IP header or falls back to a given configuration for remote address.
 
 
 type: ip

model/error/event.go

@@ -194,7 +194,9 @@ func (e *Event) Transform(tctx *transform.Context) []beat.Event {
 	tctx.Metadata.Set(fields)
 	// then add event specific information
 	utility.Update(fields, "user", e.User.Fields())
-	utility.DeepUpdate(fields, "client", e.Http.ClientFields(e.User.ClientFields()))
+	clientIP := e.Http.ClientFields(e.User.ClientFields())
+	utility.DeepUpdate(fields, "client", clientIP)
+	utility.DeepUpdate(fields, "source", clientIP)
 	utility.DeepUpdate(fields, "user_agent", e.User.UserAgentFields())
 	utility.DeepUpdate(fields, "service", e.Service.Fields(emptyString, emptyString))
 	utility.DeepUpdate(fields, "agent", e.Service.AgentFields())

model/error/event_test.go

@@ -651,6 +651,7 @@ func TestEvents(t *testing.T) {
 				"agent":      common.MapStr{"name": "go", "version": "1.0"},
 				"user":       common.MapStr{"email": email},
 				"client":     common.MapStr{"ip": userIp},
+				"source":     common.MapStr{"ip": userIp},
 				"user_agent": common.MapStr{"original": userAgent},
 				"error": common.MapStr{
 					"custom": common.MapStr{

model/transaction/event.go

@@ -182,7 +182,9 @@ func (e *Event) Transform(tctx *transform.Context) []beat.Event {
 
 	// then merge event specific information
 	utility.Update(fields, "user", e.User.Fields())
-	utility.DeepUpdate(fields, "client", e.Http.ClientFields(e.User.ClientFields()))
+	clientIP := e.Http.ClientFields(e.User.ClientFields())
+	utility.DeepUpdate(fields, "client", clientIP)
+	utility.DeepUpdate(fields, "source", clientIP)
 	utility.DeepUpdate(fields, "user_agent", e.User.UserAgentFields())
 	utility.DeepUpdate(fields, "service", e.Service.Fields(emptyString, emptyString))
 	utility.DeepUpdate(fields, "agent", e.Service.AgentFields())

model/transaction/event_test.go

@@ -370,6 +370,7 @@ func TestEventsTransformWithMetadata(t *testing.T) {
 	txWithContextEs := common.MapStr{
 		"user":       common.MapStr{"id": "123", "name": "jane"},
 		"client":     common.MapStr{"ip": "63.23.123.4"},
+		"source":     common.MapStr{"ip": "63.23.123.4"},
 		"user_agent": common.MapStr{"original": userAgent},
 		"host": common.MapStr{
 			"architecture": "darwin",

processor/stream/package_tests/error_attrs_test.go

@@ -55,7 +55,7 @@ func errorPayloadAttrsNotInFields() *tests.Set {
 func errorFieldsNotInPayloadAttrs() *tests.Set {
 	return tests.NewSet(
 		"view errors", "error id icon",
-		"host.ip", "transaction.name",
+		"host.ip", "transaction.name", "source.ip",
 		tests.Group("observer"),
 		tests.Group("user"),
 		tests.Group("client"),

processor/stream/package_tests/span_attrs_test.go

@@ -64,6 +64,7 @@ func spanFieldsNotInPayloadAttrs() *tests.Set {
 			tests.Group("service"),
 			tests.Group("user"),
 			tests.Group("client"),
+			tests.Group("source"),
 			tests.Group("http"),
 			tests.Group("url"),
 			tests.Group("span.self_time"),

processor/stream/package_tests/transaction_attrs_test.go

@@ -56,6 +56,7 @@ func transactionFieldsNotInPayloadAttrs() *tests.Set {
 		"host.ip",
 		"transaction.duration.count",
 		"transaction.marks.*.*",
+		"source.ip",
 		tests.Group("observer"),
 		tests.Group("user"),
 		tests.Group("client"),

processor/stream/test_approved_es_documents/testIntakeIntegrationErrors.approved.json

@@ -290,6 +290,9 @@
                 },
                 "version": "5.1.3"
             },
+            "source": {
+                "ip": "12.53.12.1"
+            },
             "timestamp": {
                 "us": 1494342245999999
             },

processor/stream/test_approved_es_documents/testIntakeIntegrationTransactions.approved.json

@@ -219,6 +219,9 @@
                 },
                 "version": "5.1.3"
             },
+            "source": {
+                "ip": "12.53.12.1"
+            },
             "timestamp": {
                 "us": 1496170407154000
             },

tests/system/error.approved.json

@@ -210,6 +210,9 @@
                     "region_name": "Indiana"
                 }
             },
+            "source": {
+                "ip": "12.53.12.1"
+            },
             "url": {
                 "domain": "www.example.com",
                 "fragment": "#hash",

tests/system/transaction.approved.json

@@ -149,6 +149,9 @@
                     "region_name": "Indiana"
                 }
             },
+            "source": {
+                "ip": "12.53.12.1"
+            },
             "labels": {
                 "number_code": 2,
                 "bool_error": false,