[Filebeat] Remove alias fields from Suricata and Traefik module mappi…

…ngs (#26627) * Remove alias fields from Suricata/Traefik module mappings Alias fields are displayed in Kibana whenever their target exists in a document. This yields confusing results when, for example, you are looking at Zeek module events but see many `suricata.eve.*` fields just because Zeek populates many ECS fields. This is a breaking change for users that depend on the Suricata alias fields. Because these alias cause issues for all users I think it best to remove them. The following alias fields are removed: suricata.eve.fileinfo.filename suricata.eve.fileinfo.size suricata.eve.dest_port suricata.eve.src_port suricata.eve.proto suricata.eve.src_ip suricata.eve.dest_ip suricata.eve.http.status suricata.eve.http.http_user_agent suricata.eve.http.http_refer suricata.eve.http.url suricata.eve.http.hostname suricata.eve.http.http_refer suricata.eve.http.url suricata.eve.http.hostname suricata.eve.http.length suricata.eve.http.http_method suricata.eve.alert.severity suricata.eve.alert.action suricata.eve.flow.bytes_toclient suricata.eve.flow.start suricata.eve.flow.pkts_toclient suricata.eve.flow.bytes_toserver suricata.eve.flow.pkts_toserver suricata.eve.app_proto traefik.access.user_agent.device Relates: #10535 * Fix changelog
elastic · Jul 15, 2021 · 877ae2c · 877ae2c
1 parent 222f8c2
commit 877ae2c
Show file tree

Hide file tree

Showing 6 changed files with 3 additions and 300 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -107,6 +107,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Change logging in logs input to structure logging. Some log message formats have changed. {pull}25299[25299]
 - Change source field for `event.action` in `fortinet.firewall` module to `fortinet.firewall.action` instead of `fortinet.firewall.eventtype`. {pull}24816[24816]
 - threatintel module: Changed the type of `threatintel.indicator.first_seen` from `keyword` to `date`. {pull}26765[26765]
+- Remove all alias fields pointing to ECS fields from modules. This affects the Suricata and Traefik modules. {issue}10535[10535] {pull}26627[26627]
 
 *Heartbeat*
 - Add support for screenshot blocks and use newer synthetics flags that only works in newer synthetics betas. {pull}25808[25808]

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -150119,15 +150119,6 @@ type: keyword
 
 --
 
-*`suricata.eve.fileinfo.filename`*::
-+
---
-type: alias
-
-alias to: file.path
-
---
-
 *`suricata.eve.fileinfo.tx_id`*::
 +
 --
@@ -150170,65 +150161,20 @@ type: keyword
 
 --
 
-*`suricata.eve.fileinfo.size`*::
-+
---
-type: alias
-
-alias to: file.size
-
---
-
 *`suricata.eve.icmp_type`*::
 +
 --
 type: long
 
 --
 
-*`suricata.eve.dest_port`*::
-+
---
-type: alias
-
-alias to: destination.port
-
---
-
-*`suricata.eve.src_port`*::
-+
---
-type: alias
-
-alias to: source.port
-
---
-
-*`suricata.eve.proto`*::
-+
---
-type: alias
-
-alias to: network.transport
-
---
-
 *`suricata.eve.pcap_cnt`*::
 +
 --
 type: long
 
 --
 
-*`suricata.eve.src_ip`*::
-+
---
-type: alias
-
-alias to: source.ip
-
---
-
 
 *`suricata.eve.dns.type`*::
 +
@@ -150301,15 +150247,6 @@ type: keyword
 
 --
 
-*`suricata.eve.dest_ip`*::
-+
---
-type: alias
-
-alias to: destination.ip
-
---
-
 *`suricata.eve.icmp_code`*::
 +
 --
@@ -150318,83 +150255,20 @@ type: long
 --
 
 
-*`suricata.eve.http.status`*::
-+
---
-type: alias
-
-alias to: http.response.status_code
-
---
-
 *`suricata.eve.http.redirect`*::
 +
 --
 type: keyword
 
 --
 
-*`suricata.eve.http.http_user_agent`*::
-+
---
-type: alias
-
-alias to: user_agent.original
-
---
-
 *`suricata.eve.http.protocol`*::
 +
 --
 type: keyword
 
 --
 
-*`suricata.eve.http.http_refer`*::
-+
---
-type: alias
-
-alias to: http.request.referrer
-
---
-
-*`suricata.eve.http.url`*::
-+
---
-type: alias
-
-alias to: url.original
-
---
-
-*`suricata.eve.http.hostname`*::
-+
---
-type: alias
-
-alias to: url.domain
-
---
-
-*`suricata.eve.http.length`*::
-+
---
-type: alias
-
-alias to: http.response.body.bytes
-
---
-
-*`suricata.eve.http.http_method`*::
-+
---
-type: alias
-
-alias to: http.request.method
-
---
-
 *`suricata.eve.http.http_content_type`*::
 +
 --
@@ -150426,15 +150300,6 @@ type: keyword
 
 --
 
-*`suricata.eve.alert.severity`*::
-+
---
-type: alias
-
-alias to: event.severity
-
---
-
 *`suricata.eve.alert.rev`*::
 +
 --
@@ -150456,15 +150321,6 @@ type: keyword
 
 --
 
-*`suricata.eve.alert.action`*::
-+
---
-type: alias
-
-alias to: event.outcome
-
---
-
 *`suricata.eve.alert.signature_id`*::
 +
 --
@@ -151611,33 +151467,6 @@ type: keyword
 --
 
 
-*`suricata.eve.flow.bytes_toclient`*::
-+
---
-type: alias
-
-alias to: destination.bytes
-
---
-
-*`suricata.eve.flow.start`*::
-+
---
-type: alias
-
-alias to: event.start
-
---
-
-*`suricata.eve.flow.pkts_toclient`*::
-+
---
-type: alias
-
-alias to: destination.packets
-
---
-
 *`suricata.eve.flow.age`*::
 +
 --
@@ -151652,47 +151481,20 @@ type: keyword
 
 --
 
-*`suricata.eve.flow.bytes_toserver`*::
-+
---
-type: alias
-
-alias to: source.bytes
-
---
-
 *`suricata.eve.flow.reason`*::
 +
 --
 type: keyword
 
 --
 
-*`suricata.eve.flow.pkts_toserver`*::
-+
---
-type: alias
-
-alias to: source.packets
-
---
-
 *`suricata.eve.flow.alerted`*::
 +
 --
 type: boolean
 
 --
 
-*`suricata.eve.app_proto`*::
-+
---
-type: alias
-
-alias to: network.protocol
-
---
-
 *`suricata.eve.tx_id`*::
 +
 --
@@ -159585,15 +159387,6 @@ alias to: user_agent.original
 --
 
 
-*`traefik.access.user_agent.device`*::
-+
---
-type: alias
-
-alias to: user_agent.device.name
-
---
-
 *`traefik.access.user_agent.name`*::
 +
 --

diff --git a/filebeat/module/traefik/access/_meta/fields.yml b/filebeat/module/traefik/access/_meta/fields.yml
@@ -60,9 +60,6 @@
     - name: user_agent
       type: group
       fields:
-        - name: device
-          type: alias
-          path: user_agent.device.name
         - name: name
           type: alias
           path: user_agent.name

diff --git a/filebeat/module/traefik/fields.go b/filebeat/module/traefik/fields.go