-
Notifications
You must be signed in to change notification settings - Fork 410
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mime Types #749
Comments
Ah right, good point. Where would you see adding a
Is it worth breaking up the mime_type into type, subtype & parameter to discrete fields, you think? BTW you're still hanging around the cool places, and that's what counts ;-) |
I think all those fields are perfect start. I don't think necessary to break up. |
Solved by #760 |
Sounds good 👍 |
Reading over the past discussion here, #760, and #554, appears only the I do see a case for populating a dedicated However, I'm not sure Also while |
Yes, you're right. So the idea behind both http mime_type fields is not for them to be a replacement for the http headers. We don't have http headers defined yet in ECS, so perhaps it's a bit early to tackle this, after all. But the overall plan is the content-type headers would always go to their appropriate place in the header fields. The mime_type should be populated only when doing analysis of the body. We could likely make a concession that the http mime_type can also be populated based on the http headers if the source of the header is trusted (e.g. I trust my web server's access logs to set The goal is specifically to enable analysis on And indeed I would keep the accept headers out of this completely. They're telling us a different thing :-) |
I was wondering if we could discuss/add
mime_type
as a nested field.There is a bit discussed on this already over at #554, however since it started as HTTP specific header fields, I think it may have gotten lost in the mix and mime type's deserve their own issue :)
I think this would be a pretty quick win that would benefit setting up some nice analytics and just all around schema for a lot of logs.
a really easy "analytic" is something like
file.mime_type:"application/x-dosexec" AND NOT file.extension:(exe OR dll OR msi)
Some type of logs and things that would benefit:
Miss you @webmat ;)
The text was updated successfully, but these errors were encountered: