From 759e3a87618442adcf6805ee09d2a1baeb60c51f Mon Sep 17 00:00:00 2001 From: Patrick Mueller Date: Thu, 17 Oct 2019 22:59:16 -0400 Subject: [PATCH] add ECS type generator --- x-pack/plugins/event_log/generated/README.md | 4 + .../plugins/event_log/generated/mappings.json | 1880 +++++++++++++++++ x-pack/plugins/event_log/generated/schemas.ts | 1390 ++++++++++++ .../event_log/scripts/create_schemas.js | 352 +++ .../event_log/scripts/lib/line_writer.js | 36 + 5 files changed, 3662 insertions(+) create mode 100644 x-pack/plugins/event_log/generated/README.md create mode 100644 x-pack/plugins/event_log/generated/mappings.json create mode 100644 x-pack/plugins/event_log/generated/schemas.ts create mode 100755 x-pack/plugins/event_log/scripts/create_schemas.js create mode 100644 x-pack/plugins/event_log/scripts/lib/line_writer.js diff --git a/x-pack/plugins/event_log/generated/README.md b/x-pack/plugins/event_log/generated/README.md new file mode 100644 index 000000000000000..0361cb12882ab73 --- /dev/null +++ b/x-pack/plugins/event_log/generated/README.md @@ -0,0 +1,4 @@ +The files in this directory were generated by manually running the script +../scripts/create-schemas.js from the root directory of the repository. + +These files should not be edited by hand. diff --git a/x-pack/plugins/event_log/generated/mappings.json b/x-pack/plugins/event_log/generated/mappings.json new file mode 100644 index 000000000000000..d8118795aa7f3cc --- /dev/null +++ b/x-pack/plugins/event_log/generated/mappings.json @@ -0,0 +1,1880 @@ +{ + "dynamic": "strict", + "mappings": { + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object", + "enabled": false + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "stack_trace": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object", + "enabled": false + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "integer" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "observer": { + "properties": { + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kibana": { + "properties": { + "username": { + "ignore_above": 1024, + "type": "keyword" + }, + "spaceId": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } +} \ No newline at end of file diff --git a/x-pack/plugins/event_log/generated/schemas.ts b/x-pack/plugins/event_log/generated/schemas.ts new file mode 100644 index 000000000000000..4469aefd2adfc4f --- /dev/null +++ b/x-pack/plugins/event_log/generated/schemas.ts @@ -0,0 +1,1390 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +// ---------------------------------- WARNING ---------------------------------- +// this file was generated, and should not be edited by hand +// ---------------------------------- WARNING ---------------------------------- + +// provides TypeScript and config-schema interfaces for ECS for use with +// the event log + +import { schema } from '@kbn/config-schema'; +import { isDate } from 'lodash'; + +export const ECS_VERSION = '1.2.0'; + +// a typescript interface describing the schema +export interface IEvent { + '@timestamp'?: Date | Date[]; + agent?: { + ephemeral_id?: string | string[]; + id?: string | string[]; + name?: string | string[]; + type?: string | string[]; + version?: string | string[]; + }; + as?: { + number?: number | number[]; + organization?: { + name?: string | string[]; + }; + }; + client?: { + address?: string | string[]; + as?: { + number?: number | number[]; + organization?: { + name?: string | string[]; + }; + }; + bytes?: number | number[]; + domain?: string | string[]; + geo?: { + city_name?: string | string[]; + continent_name?: string | string[]; + country_iso_code?: string | string[]; + country_name?: string | string[]; + location?: GeoPoint | GeoPoint[]; + name?: string | string[]; + region_iso_code?: string | string[]; + region_name?: string | string[]; + }; + ip?: string | string[]; + mac?: string | string[]; + nat?: { + ip?: string | string[]; + port?: number | number[]; + }; + packets?: number | number[]; + port?: number | number[]; + registered_domain?: string | string[]; + top_level_domain?: string | string[]; + user?: { + domain?: string | string[]; + email?: string | string[]; + full_name?: string | string[]; + group?: { + domain?: string | string[]; + id?: string | string[]; + name?: string | string[]; + }; + hash?: string | string[]; + id?: string | string[]; + name?: string | string[]; + }; + }; + cloud?: { + account?: { + id?: string | string[]; + }; + availability_zone?: string | string[]; + instance?: { + id?: string | string[]; + name?: string | string[]; + }; + machine?: { + type?: string | string[]; + }; + provider?: string | string[]; + region?: string | string[]; + }; + container?: { + id?: string | string[]; + image?: { + name?: string | string[]; + tag?: string | string[]; + }; + labels?: Record; + name?: string | string[]; + runtime?: string | string[]; + }; + destination?: { + address?: string | string[]; + as?: { + number?: number | number[]; + organization?: { + name?: string | string[]; + }; + }; + bytes?: number | number[]; + domain?: string | string[]; + geo?: { + city_name?: string | string[]; + continent_name?: string | string[]; + country_iso_code?: string | string[]; + country_name?: string | string[]; + location?: GeoPoint | GeoPoint[]; + name?: string | string[]; + region_iso_code?: string | string[]; + region_name?: string | string[]; + }; + ip?: string | string[]; + mac?: string | string[]; + nat?: { + ip?: string | string[]; + port?: number | number[]; + }; + packets?: number | number[]; + port?: number | number[]; + registered_domain?: string | string[]; + top_level_domain?: string | string[]; + user?: { + domain?: string | string[]; + email?: string | string[]; + full_name?: string | string[]; + group?: { + domain?: string | string[]; + id?: string | string[]; + name?: string | string[]; + }; + hash?: string | string[]; + id?: string | string[]; + name?: string | string[]; + }; + }; + dns?: { + answers?: { + class?: string | string[]; + data?: string | string[]; + name?: string | string[]; + ttl?: number | number[]; + type?: string | string[]; + }; + header_flags?: string | string[]; + id?: string | string[]; + op_code?: string | string[]; + question?: { + class?: string | string[]; + name?: string | string[]; + registered_domain?: string | string[]; + subdomain?: string | string[]; + top_level_domain?: string | string[]; + type?: string | string[]; + }; + resolved_ip?: string | string[]; + response_code?: string | string[]; + type?: string | string[]; + }; + ecs?: { + version?: string | string[]; + }; + error?: { + code?: string | string[]; + id?: string | string[]; + message?: string | string[]; + stack_trace?: string | string[]; + type?: string | string[]; + }; + event?: { + action?: string | string[]; + category?: string | string[]; + code?: string | string[]; + created?: Date | Date[]; + dataset?: string | string[]; + duration?: number | number[]; + end?: Date | Date[]; + hash?: string | string[]; + id?: string | string[]; + kind?: string | string[]; + module?: string | string[]; + original?: string | string[]; + outcome?: string | string[]; + provider?: string | string[]; + risk_score?: number | number[]; + risk_score_norm?: number | number[]; + sequence?: number | number[]; + severity?: number | number[]; + start?: Date | Date[]; + timezone?: string | string[]; + type?: string | string[]; + }; + file?: { + accessed?: Date | Date[]; + created?: Date | Date[]; + ctime?: Date | Date[]; + device?: string | string[]; + directory?: string | string[]; + extension?: string | string[]; + gid?: string | string[]; + group?: string | string[]; + hash?: { + md5?: string | string[]; + sha1?: string | string[]; + sha256?: string | string[]; + sha512?: string | string[]; + }; + inode?: string | string[]; + mode?: string | string[]; + mtime?: Date | Date[]; + name?: string | string[]; + owner?: string | string[]; + path?: string | string[]; + size?: number | number[]; + target_path?: string | string[]; + type?: string | string[]; + uid?: string | string[]; + }; + geo?: { + city_name?: string | string[]; + continent_name?: string | string[]; + country_iso_code?: string | string[]; + country_name?: string | string[]; + location?: GeoPoint | GeoPoint[]; + name?: string | string[]; + region_iso_code?: string | string[]; + region_name?: string | string[]; + }; + group?: { + domain?: string | string[]; + id?: string | string[]; + name?: string | string[]; + }; + hash?: { + md5?: string | string[]; + sha1?: string | string[]; + sha256?: string | string[]; + sha512?: string | string[]; + }; + host?: { + architecture?: string | string[]; + geo?: { + city_name?: string | string[]; + continent_name?: string | string[]; + country_iso_code?: string | string[]; + country_name?: string | string[]; + location?: GeoPoint | GeoPoint[]; + name?: string | string[]; + region_iso_code?: string | string[]; + region_name?: string | string[]; + }; + hostname?: string | string[]; + id?: string | string[]; + ip?: string | string[]; + mac?: string | string[]; + name?: string | string[]; + os?: { + family?: string | string[]; + full?: string | string[]; + kernel?: string | string[]; + name?: string | string[]; + platform?: string | string[]; + version?: string | string[]; + }; + type?: string | string[]; + uptime?: number | number[]; + user?: { + domain?: string | string[]; + email?: string | string[]; + full_name?: string | string[]; + group?: { + domain?: string | string[]; + id?: string | string[]; + name?: string | string[]; + }; + hash?: string | string[]; + id?: string | string[]; + name?: string | string[]; + }; + }; + http?: { + request?: { + body?: { + bytes?: number | number[]; + content?: string | string[]; + }; + bytes?: number | number[]; + method?: string | string[]; + referrer?: string | string[]; + }; + response?: { + body?: { + bytes?: number | number[]; + content?: string | string[]; + }; + bytes?: number | number[]; + status_code?: number | number[]; + }; + version?: string | string[]; + }; + labels?: Record; + log?: { + level?: string | string[]; + logger?: string | string[]; + origin?: { + file?: { + line?: number | number[]; + name?: string | string[]; + }; + function?: string | string[]; + }; + original?: string | string[]; + syslog?: { + facility?: { + code?: number | number[]; + name?: string | string[]; + }; + priority?: number | number[]; + severity?: { + code?: number | number[]; + name?: string | string[]; + }; + }; + }; + message?: string | string[]; + network?: { + application?: string | string[]; + bytes?: number | number[]; + community_id?: string | string[]; + direction?: string | string[]; + forwarded_ip?: string | string[]; + iana_number?: string | string[]; + name?: string | string[]; + packets?: number | number[]; + protocol?: string | string[]; + transport?: string | string[]; + type?: string | string[]; + }; + observer?: { + geo?: { + city_name?: string | string[]; + continent_name?: string | string[]; + country_iso_code?: string | string[]; + country_name?: string | string[]; + location?: GeoPoint | GeoPoint[]; + name?: string | string[]; + region_iso_code?: string | string[]; + region_name?: string | string[]; + }; + hostname?: string | string[]; + ip?: string | string[]; + mac?: string | string[]; + name?: string | string[]; + os?: { + family?: string | string[]; + full?: string | string[]; + kernel?: string | string[]; + name?: string | string[]; + platform?: string | string[]; + version?: string | string[]; + }; + product?: string | string[]; + serial_number?: string | string[]; + type?: string | string[]; + vendor?: string | string[]; + version?: string | string[]; + }; + organization?: { + id?: string | string[]; + name?: string | string[]; + }; + os?: { + family?: string | string[]; + full?: string | string[]; + kernel?: string | string[]; + name?: string | string[]; + platform?: string | string[]; + version?: string | string[]; + }; + package?: { + architecture?: string | string[]; + checksum?: string | string[]; + description?: string | string[]; + install_scope?: string | string[]; + installed?: Date | Date[]; + license?: string | string[]; + name?: string | string[]; + path?: string | string[]; + size?: number | number[]; + version?: string | string[]; + }; + process?: { + args?: string | string[]; + executable?: string | string[]; + hash?: { + md5?: string | string[]; + sha1?: string | string[]; + sha256?: string | string[]; + sha512?: string | string[]; + }; + name?: string | string[]; + pgid?: number | number[]; + pid?: number | number[]; + ppid?: number | number[]; + start?: Date | Date[]; + thread?: { + id?: number | number[]; + name?: string | string[]; + }; + title?: string | string[]; + uptime?: number | number[]; + working_directory?: string | string[]; + }; + related?: { + ip?: string | string[]; + }; + server?: { + address?: string | string[]; + as?: { + number?: number | number[]; + organization?: { + name?: string | string[]; + }; + }; + bytes?: number | number[]; + domain?: string | string[]; + geo?: { + city_name?: string | string[]; + continent_name?: string | string[]; + country_iso_code?: string | string[]; + country_name?: string | string[]; + location?: GeoPoint | GeoPoint[]; + name?: string | string[]; + region_iso_code?: string | string[]; + region_name?: string | string[]; + }; + ip?: string | string[]; + mac?: string | string[]; + nat?: { + ip?: string | string[]; + port?: number | number[]; + }; + packets?: number | number[]; + port?: number | number[]; + registered_domain?: string | string[]; + top_level_domain?: string | string[]; + user?: { + domain?: string | string[]; + email?: string | string[]; + full_name?: string | string[]; + group?: { + domain?: string | string[]; + id?: string | string[]; + name?: string | string[]; + }; + hash?: string | string[]; + id?: string | string[]; + name?: string | string[]; + }; + }; + service?: { + ephemeral_id?: string | string[]; + id?: string | string[]; + name?: string | string[]; + node?: { + name?: string | string[]; + }; + state?: string | string[]; + type?: string | string[]; + version?: string | string[]; + }; + source?: { + address?: string | string[]; + as?: { + number?: number | number[]; + organization?: { + name?: string | string[]; + }; + }; + bytes?: number | number[]; + domain?: string | string[]; + geo?: { + city_name?: string | string[]; + continent_name?: string | string[]; + country_iso_code?: string | string[]; + country_name?: string | string[]; + location?: GeoPoint | GeoPoint[]; + name?: string | string[]; + region_iso_code?: string | string[]; + region_name?: string | string[]; + }; + ip?: string | string[]; + mac?: string | string[]; + nat?: { + ip?: string | string[]; + port?: number | number[]; + }; + packets?: number | number[]; + port?: number | number[]; + registered_domain?: string | string[]; + top_level_domain?: string | string[]; + user?: { + domain?: string | string[]; + email?: string | string[]; + full_name?: string | string[]; + group?: { + domain?: string | string[]; + id?: string | string[]; + name?: string | string[]; + }; + hash?: string | string[]; + id?: string | string[]; + name?: string | string[]; + }; + }; + tags?: string | string[]; + threat?: { + framework?: string | string[]; + tactic?: { + id?: string | string[]; + name?: string | string[]; + reference?: string | string[]; + }; + technique?: { + id?: string | string[]; + name?: string | string[]; + reference?: string | string[]; + }; + }; + trace?: { + id?: string | string[]; + }; + transaction?: { + id?: string | string[]; + }; + url?: { + domain?: string | string[]; + extension?: string | string[]; + fragment?: string | string[]; + full?: string | string[]; + original?: string | string[]; + password?: string | string[]; + path?: string | string[]; + port?: number | number[]; + query?: string | string[]; + registered_domain?: string | string[]; + scheme?: string | string[]; + top_level_domain?: string | string[]; + username?: string | string[]; + }; + user?: { + domain?: string | string[]; + email?: string | string[]; + full_name?: string | string[]; + group?: { + domain?: string | string[]; + id?: string | string[]; + name?: string | string[]; + }; + hash?: string | string[]; + id?: string | string[]; + name?: string | string[]; + }; + user_agent?: { + device?: { + name?: string | string[]; + }; + name?: string | string[]; + original?: string | string[]; + os?: { + family?: string | string[]; + full?: string | string[]; + kernel?: string | string[]; + name?: string | string[]; + platform?: string | string[]; + version?: string | string[]; + }; + version?: string | string[]; + }; + kibana?: { + username?: string | string[]; + spaceId?: string | string[]; + uuid?: string | string[]; + }; +} + +// a config-schema describing the schema +export const EventSchema = schema.maybe( + schema.object({ + '@timestamp': ecsDate(), + agent: schema.maybe( + schema.object({ + ephemeral_id: ecsString(), + id: ecsString(), + name: ecsString(), + type: ecsString(), + version: ecsString(), + }) + ), + as: schema.maybe( + schema.object({ + number: ecsNumber(), + organization: schema.maybe( + schema.object({ + name: ecsString(), + }) + ), + }) + ), + client: schema.maybe( + schema.object({ + address: ecsString(), + as: schema.maybe( + schema.object({ + number: ecsNumber(), + organization: schema.maybe( + schema.object({ + name: ecsString(), + }) + ), + }) + ), + bytes: ecsNumber(), + domain: ecsString(), + geo: schema.maybe( + schema.object({ + city_name: ecsString(), + continent_name: ecsString(), + country_iso_code: ecsString(), + country_name: ecsString(), + location: ecsGeoPoint(), + name: ecsString(), + region_iso_code: ecsString(), + region_name: ecsString(), + }) + ), + ip: ecsString(), + mac: ecsString(), + nat: schema.maybe( + schema.object({ + ip: ecsString(), + port: ecsNumber(), + }) + ), + packets: ecsNumber(), + port: ecsNumber(), + registered_domain: ecsString(), + top_level_domain: ecsString(), + user: schema.maybe( + schema.object({ + domain: ecsString(), + email: ecsString(), + full_name: ecsString(), + group: schema.maybe( + schema.object({ + domain: ecsString(), + id: ecsString(), + name: ecsString(), + }) + ), + hash: ecsString(), + id: ecsString(), + name: ecsString(), + }) + ), + }) + ), + cloud: schema.maybe( + schema.object({ + account: schema.maybe( + schema.object({ + id: ecsString(), + }) + ), + availability_zone: ecsString(), + instance: schema.maybe( + schema.object({ + id: ecsString(), + name: ecsString(), + }) + ), + machine: schema.maybe( + schema.object({ + type: ecsString(), + }) + ), + provider: ecsString(), + region: ecsString(), + }) + ), + container: schema.maybe( + schema.object({ + id: ecsString(), + image: schema.maybe( + schema.object({ + name: ecsString(), + tag: ecsString(), + }) + ), + labels: ecsOpenObject(), + name: ecsString(), + runtime: ecsString(), + }) + ), + destination: schema.maybe( + schema.object({ + address: ecsString(), + as: schema.maybe( + schema.object({ + number: ecsNumber(), + organization: schema.maybe( + schema.object({ + name: ecsString(), + }) + ), + }) + ), + bytes: ecsNumber(), + domain: ecsString(), + geo: schema.maybe( + schema.object({ + city_name: ecsString(), + continent_name: ecsString(), + country_iso_code: ecsString(), + country_name: ecsString(), + location: ecsGeoPoint(), + name: ecsString(), + region_iso_code: ecsString(), + region_name: ecsString(), + }) + ), + ip: ecsString(), + mac: ecsString(), + nat: schema.maybe( + schema.object({ + ip: ecsString(), + port: ecsNumber(), + }) + ), + packets: ecsNumber(), + port: ecsNumber(), + registered_domain: ecsString(), + top_level_domain: ecsString(), + user: schema.maybe( + schema.object({ + domain: ecsString(), + email: ecsString(), + full_name: ecsString(), + group: schema.maybe( + schema.object({ + domain: ecsString(), + id: ecsString(), + name: ecsString(), + }) + ), + hash: ecsString(), + id: ecsString(), + name: ecsString(), + }) + ), + }) + ), + dns: schema.maybe( + schema.object({ + answers: schema.maybe( + schema.object({ + class: ecsString(), + data: ecsString(), + name: ecsString(), + ttl: ecsNumber(), + type: ecsString(), + }) + ), + header_flags: ecsString(), + id: ecsString(), + op_code: ecsString(), + question: schema.maybe( + schema.object({ + class: ecsString(), + name: ecsString(), + registered_domain: ecsString(), + subdomain: ecsString(), + top_level_domain: ecsString(), + type: ecsString(), + }) + ), + resolved_ip: ecsString(), + response_code: ecsString(), + type: ecsString(), + }) + ), + ecs: schema.maybe( + schema.object({ + version: ecsString(), + }) + ), + error: schema.maybe( + schema.object({ + code: ecsString(), + id: ecsString(), + message: ecsString(), + stack_trace: ecsString(), + type: ecsString(), + }) + ), + event: schema.maybe( + schema.object({ + action: ecsString(), + category: ecsString(), + code: ecsString(), + created: ecsDate(), + dataset: ecsString(), + duration: ecsNumber(), + end: ecsDate(), + hash: ecsString(), + id: ecsString(), + kind: ecsString(), + module: ecsString(), + original: ecsString(), + outcome: ecsString(), + provider: ecsString(), + risk_score: ecsNumber(), + risk_score_norm: ecsNumber(), + sequence: ecsNumber(), + severity: ecsNumber(), + start: ecsDate(), + timezone: ecsString(), + type: ecsString(), + }) + ), + file: schema.maybe( + schema.object({ + accessed: ecsDate(), + created: ecsDate(), + ctime: ecsDate(), + device: ecsString(), + directory: ecsString(), + extension: ecsString(), + gid: ecsString(), + group: ecsString(), + hash: schema.maybe( + schema.object({ + md5: ecsString(), + sha1: ecsString(), + sha256: ecsString(), + sha512: ecsString(), + }) + ), + inode: ecsString(), + mode: ecsString(), + mtime: ecsDate(), + name: ecsString(), + owner: ecsString(), + path: ecsString(), + size: ecsNumber(), + target_path: ecsString(), + type: ecsString(), + uid: ecsString(), + }) + ), + geo: schema.maybe( + schema.object({ + city_name: ecsString(), + continent_name: ecsString(), + country_iso_code: ecsString(), + country_name: ecsString(), + location: ecsGeoPoint(), + name: ecsString(), + region_iso_code: ecsString(), + region_name: ecsString(), + }) + ), + group: schema.maybe( + schema.object({ + domain: ecsString(), + id: ecsString(), + name: ecsString(), + }) + ), + hash: schema.maybe( + schema.object({ + md5: ecsString(), + sha1: ecsString(), + sha256: ecsString(), + sha512: ecsString(), + }) + ), + host: schema.maybe( + schema.object({ + architecture: ecsString(), + geo: schema.maybe( + schema.object({ + city_name: ecsString(), + continent_name: ecsString(), + country_iso_code: ecsString(), + country_name: ecsString(), + location: ecsGeoPoint(), + name: ecsString(), + region_iso_code: ecsString(), + region_name: ecsString(), + }) + ), + hostname: ecsString(), + id: ecsString(), + ip: ecsString(), + mac: ecsString(), + name: ecsString(), + os: schema.maybe( + schema.object({ + family: ecsString(), + full: ecsString(), + kernel: ecsString(), + name: ecsString(), + platform: ecsString(), + version: ecsString(), + }) + ), + type: ecsString(), + uptime: ecsNumber(), + user: schema.maybe( + schema.object({ + domain: ecsString(), + email: ecsString(), + full_name: ecsString(), + group: schema.maybe( + schema.object({ + domain: ecsString(), + id: ecsString(), + name: ecsString(), + }) + ), + hash: ecsString(), + id: ecsString(), + name: ecsString(), + }) + ), + }) + ), + http: schema.maybe( + schema.object({ + request: schema.maybe( + schema.object({ + body: schema.maybe( + schema.object({ + bytes: ecsNumber(), + content: ecsString(), + }) + ), + bytes: ecsNumber(), + method: ecsString(), + referrer: ecsString(), + }) + ), + response: schema.maybe( + schema.object({ + body: schema.maybe( + schema.object({ + bytes: ecsNumber(), + content: ecsString(), + }) + ), + bytes: ecsNumber(), + status_code: ecsNumber(), + }) + ), + version: ecsString(), + }) + ), + labels: ecsOpenObject(), + log: schema.maybe( + schema.object({ + level: ecsString(), + logger: ecsString(), + origin: schema.maybe( + schema.object({ + file: schema.maybe( + schema.object({ + line: ecsNumber(), + name: ecsString(), + }) + ), + function: ecsString(), + }) + ), + original: ecsString(), + syslog: schema.maybe( + schema.object({ + facility: schema.maybe( + schema.object({ + code: ecsNumber(), + name: ecsString(), + }) + ), + priority: ecsNumber(), + severity: schema.maybe( + schema.object({ + code: ecsNumber(), + name: ecsString(), + }) + ), + }) + ), + }) + ), + message: ecsString(), + network: schema.maybe( + schema.object({ + application: ecsString(), + bytes: ecsNumber(), + community_id: ecsString(), + direction: ecsString(), + forwarded_ip: ecsString(), + iana_number: ecsString(), + name: ecsString(), + packets: ecsNumber(), + protocol: ecsString(), + transport: ecsString(), + type: ecsString(), + }) + ), + observer: schema.maybe( + schema.object({ + geo: schema.maybe( + schema.object({ + city_name: ecsString(), + continent_name: ecsString(), + country_iso_code: ecsString(), + country_name: ecsString(), + location: ecsGeoPoint(), + name: ecsString(), + region_iso_code: ecsString(), + region_name: ecsString(), + }) + ), + hostname: ecsString(), + ip: ecsString(), + mac: ecsString(), + name: ecsString(), + os: schema.maybe( + schema.object({ + family: ecsString(), + full: ecsString(), + kernel: ecsString(), + name: ecsString(), + platform: ecsString(), + version: ecsString(), + }) + ), + product: ecsString(), + serial_number: ecsString(), + type: ecsString(), + vendor: ecsString(), + version: ecsString(), + }) + ), + organization: schema.maybe( + schema.object({ + id: ecsString(), + name: ecsString(), + }) + ), + os: schema.maybe( + schema.object({ + family: ecsString(), + full: ecsString(), + kernel: ecsString(), + name: ecsString(), + platform: ecsString(), + version: ecsString(), + }) + ), + package: schema.maybe( + schema.object({ + architecture: ecsString(), + checksum: ecsString(), + description: ecsString(), + install_scope: ecsString(), + installed: ecsDate(), + license: ecsString(), + name: ecsString(), + path: ecsString(), + size: ecsNumber(), + version: ecsString(), + }) + ), + process: schema.maybe( + schema.object({ + args: ecsString(), + executable: ecsString(), + hash: schema.maybe( + schema.object({ + md5: ecsString(), + sha1: ecsString(), + sha256: ecsString(), + sha512: ecsString(), + }) + ), + name: ecsString(), + pgid: ecsNumber(), + pid: ecsNumber(), + ppid: ecsNumber(), + start: ecsDate(), + thread: schema.maybe( + schema.object({ + id: ecsNumber(), + name: ecsString(), + }) + ), + title: ecsString(), + uptime: ecsNumber(), + working_directory: ecsString(), + }) + ), + related: schema.maybe( + schema.object({ + ip: ecsString(), + }) + ), + server: schema.maybe( + schema.object({ + address: ecsString(), + as: schema.maybe( + schema.object({ + number: ecsNumber(), + organization: schema.maybe( + schema.object({ + name: ecsString(), + }) + ), + }) + ), + bytes: ecsNumber(), + domain: ecsString(), + geo: schema.maybe( + schema.object({ + city_name: ecsString(), + continent_name: ecsString(), + country_iso_code: ecsString(), + country_name: ecsString(), + location: ecsGeoPoint(), + name: ecsString(), + region_iso_code: ecsString(), + region_name: ecsString(), + }) + ), + ip: ecsString(), + mac: ecsString(), + nat: schema.maybe( + schema.object({ + ip: ecsString(), + port: ecsNumber(), + }) + ), + packets: ecsNumber(), + port: ecsNumber(), + registered_domain: ecsString(), + top_level_domain: ecsString(), + user: schema.maybe( + schema.object({ + domain: ecsString(), + email: ecsString(), + full_name: ecsString(), + group: schema.maybe( + schema.object({ + domain: ecsString(), + id: ecsString(), + name: ecsString(), + }) + ), + hash: ecsString(), + id: ecsString(), + name: ecsString(), + }) + ), + }) + ), + service: schema.maybe( + schema.object({ + ephemeral_id: ecsString(), + id: ecsString(), + name: ecsString(), + node: schema.maybe( + schema.object({ + name: ecsString(), + }) + ), + state: ecsString(), + type: ecsString(), + version: ecsString(), + }) + ), + source: schema.maybe( + schema.object({ + address: ecsString(), + as: schema.maybe( + schema.object({ + number: ecsNumber(), + organization: schema.maybe( + schema.object({ + name: ecsString(), + }) + ), + }) + ), + bytes: ecsNumber(), + domain: ecsString(), + geo: schema.maybe( + schema.object({ + city_name: ecsString(), + continent_name: ecsString(), + country_iso_code: ecsString(), + country_name: ecsString(), + location: ecsGeoPoint(), + name: ecsString(), + region_iso_code: ecsString(), + region_name: ecsString(), + }) + ), + ip: ecsString(), + mac: ecsString(), + nat: schema.maybe( + schema.object({ + ip: ecsString(), + port: ecsNumber(), + }) + ), + packets: ecsNumber(), + port: ecsNumber(), + registered_domain: ecsString(), + top_level_domain: ecsString(), + user: schema.maybe( + schema.object({ + domain: ecsString(), + email: ecsString(), + full_name: ecsString(), + group: schema.maybe( + schema.object({ + domain: ecsString(), + id: ecsString(), + name: ecsString(), + }) + ), + hash: ecsString(), + id: ecsString(), + name: ecsString(), + }) + ), + }) + ), + tags: ecsString(), + threat: schema.maybe( + schema.object({ + framework: ecsString(), + tactic: schema.maybe( + schema.object({ + id: ecsString(), + name: ecsString(), + reference: ecsString(), + }) + ), + technique: schema.maybe( + schema.object({ + id: ecsString(), + name: ecsString(), + reference: ecsString(), + }) + ), + }) + ), + trace: schema.maybe( + schema.object({ + id: ecsString(), + }) + ), + transaction: schema.maybe( + schema.object({ + id: ecsString(), + }) + ), + url: schema.maybe( + schema.object({ + domain: ecsString(), + extension: ecsString(), + fragment: ecsString(), + full: ecsString(), + original: ecsString(), + password: ecsString(), + path: ecsString(), + port: ecsNumber(), + query: ecsString(), + registered_domain: ecsString(), + scheme: ecsString(), + top_level_domain: ecsString(), + username: ecsString(), + }) + ), + user: schema.maybe( + schema.object({ + domain: ecsString(), + email: ecsString(), + full_name: ecsString(), + group: schema.maybe( + schema.object({ + domain: ecsString(), + id: ecsString(), + name: ecsString(), + }) + ), + hash: ecsString(), + id: ecsString(), + name: ecsString(), + }) + ), + user_agent: schema.maybe( + schema.object({ + device: schema.maybe( + schema.object({ + name: ecsString(), + }) + ), + name: ecsString(), + original: ecsString(), + os: schema.maybe( + schema.object({ + family: ecsString(), + full: ecsString(), + kernel: ecsString(), + name: ecsString(), + platform: ecsString(), + version: ecsString(), + }) + ), + version: ecsString(), + }) + ), + kibana: schema.maybe( + schema.object({ + username: ecsString(), + spaceId: ecsString(), + uuid: ecsString(), + }) + ), + }) +); + +interface GeoPoint { + lat: number; + lon: number; +} + +function ecsGeoPoint() { + return schema.maybe( + schema.object({ + lat: schema.number(), + lon: schema.number(), + }) + ); +} + +function ecsString() { + return schema.maybe(schema.oneOf([schema.string(), schema.arrayOf(schema.string())])); +} + +function ecsNumber() { + return schema.maybe(schema.oneOf([schema.number(), schema.arrayOf(schema.number())])); +} + +function ecsOpenObject() { + return schema.maybe(schema.any()); +} + +function ecsDate() { + return schema.maybe(schema.any({ validate: validateDate })); +} + +function validateDate(object: any) { + if (isDate(object)) return; + return 'object is not a date:' + object; +} diff --git a/x-pack/plugins/event_log/scripts/create_schemas.js b/x-pack/plugins/event_log/scripts/create_schemas.js new file mode 100755 index 000000000000000..b4568425c03810c --- /dev/null +++ b/x-pack/plugins/event_log/scripts/create_schemas.js @@ -0,0 +1,352 @@ +#!/usr/bin/env node + +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +const fs = require('fs'); +const path = require('path'); + +const LineWriter = require('./lib/line_writer'); + +const PLUGIN_DIR = path.resolve(path.join(__dirname, '..')); +const ECS_SCHEMA_FILE = 'generated/elasticsearch/7/template.json'; +const EVENT_LOG_MAPPINGS_FILE = 'generated/mappings.json'; +const EVENT_LOG_CONFIG_SCHEMA_FILE = 'generated/schemas.ts'; + +function main() { + const ecsDir = getEcsDir(); + const ecsVersion = getEcsVersion(ecsDir); + + const ecsSchema = readEcsJSONFile(ecsDir, ECS_SCHEMA_FILE); + + // add our custom fields + ecsSchema.mappings.properties.kibana = { + properties: { + username: { + ignore_above: 1024, + type: 'keyword', + }, + spaceId: { + ignore_above: 1024, + type: 'keyword', + }, + uuid: { + ignore_above: 1024, + type: 'keyword', + } + } + }; + + const elSchema = getEventLogSchema(ecsSchema); + + console.log(`generating files in ${PLUGIN_DIR}`); + writeEventLogMappings(elSchema); + writeEventLogConfigSchema(elSchema, ecsVersion); +} + +function writeEventLogMappings(elSchema) { + fixObjectTypes(elSchema.mappings); + + const mappings = { + dynamic: 'strict', + mappings: { + properties: elSchema.mappings.properties + } + }; + + writeGeneratedFile(EVENT_LOG_MAPPINGS_FILE, JSON.stringify(mappings, null, 4)); + console.log('generated:', EVENT_LOG_MAPPINGS_FILE); +} + +function writeEventLogConfigSchema(elSchema, ecsVersion) { + let lineWriter; + + lineWriter = LineWriter.createLineWriter(); + generateSchemaLines(lineWriter, null, elSchema.mappings); + // last line will have an extraneous comma + const schemaLines = lineWriter.getContent().replace(/,$/, ''); + + lineWriter = LineWriter.createLineWriter(); + generateInterfaceLines(lineWriter, null, elSchema.mappings); + const interfaceLines = lineWriter.getContent().replace(/;$/, ''); + + const contents = getSchemaFileContents(ecsVersion, schemaLines, interfaceLines); + const schemaCode = `${contents}\n`; + + writeGeneratedFile(EVENT_LOG_CONFIG_SCHEMA_FILE, schemaCode); + console.log('generated:', EVENT_LOG_CONFIG_SCHEMA_FILE); +} + +const StringTypes = new Set(['string', 'keyword', 'text', 'ip']); +const NumberTypes = new Set(['long', 'integer', 'float']); + +function generateInterfaceLines(lineWriter, prop, mappings) { + const propKey = legalPropertyName(prop); + + if (StringTypes.has(mappings.type)) { + lineWriter.addLine(`${propKey}?: string | string[];`); + return; + } + + if (NumberTypes.has(mappings.type)) { + lineWriter.addLine(`${propKey}?: number | number[];`); + return; + } + + if (mappings.type === 'date') { + lineWriter.addLine(`${propKey}?: Date | Date[];`); + return; + } + + if (mappings.type === 'geo_point') { + lineWriter.addLine(`${propKey}?: GeoPoint | GeoPoint[];`); + return; + } + + if (mappings.type === 'object') { + lineWriter.addLine(`${propKey}?: Record;`); + return; + } + + // only handling objects for the rest of this function + if (mappings.properties == null) { + logError(`unknown properties to map: ${prop}: ${JSON.stringify(mappings)}`); + } + + // top-level object does not have a property name + if (prop == null) { + lineWriter.addLine(`{`); + + } else { + lineWriter.addLine(`${propKey}?: {`); + } + + // write the object properties + lineWriter.indent(); + for (const prop of Object.keys(mappings.properties)) { + generateInterfaceLines(lineWriter, prop, mappings.properties[prop]); + } + lineWriter.dedent(); + + lineWriter.addLine('};'); +} + +function generateSchemaLines(lineWriter, prop, mappings) { + const propKey = legalPropertyName(prop); + + if (StringTypes.has(mappings.type)) { + lineWriter.addLine(`${propKey}: ecsString(),`); + return; + } + + if (NumberTypes.has(mappings.type)) { + lineWriter.addLine(`${propKey}: ecsNumber(),`); + return; + } + + if (mappings.type === 'date') { + lineWriter.addLine(`${propKey}: ecsDate(),`); + return; + } + + if (mappings.type === 'geo_point') { + lineWriter.addLine(`${propKey}: ecsGeoPoint(),`); + return; + } + + if (mappings.type === 'object') { + lineWriter.addLine(`${propKey}: ecsOpenObject(),`); + return; + } + + // only handling objects for the rest of this function + if (mappings.properties == null) { + logError(`unknown properties to map: ${prop}: ${JSON.stringify(mappings)}`); + } + + // top-level object does not have a property name + if (prop == null) { + lineWriter.addLine(`schema.maybe(`); + lineWriter.indent(); + lineWriter.addLine(`schema.object({`); + + } else { + lineWriter.addLine(`${propKey}: schema.maybe(`); + lineWriter.indent(); + lineWriter.addLine(`schema.object({`); + } + + // write the object properties + lineWriter.indent(); + for (const prop of Object.keys(mappings.properties)) { + generateSchemaLines(lineWriter, prop, mappings.properties[prop]); + } + lineWriter.dedent(); + + lineWriter.addLine('})'); + lineWriter.dedent(); + lineWriter.addLine('),'); +} + +function legalPropertyName(prop) { + if (prop === '@timestamp') return `'@timestamp'`; + return prop; +} + +function fixObjectTypes(mappings) { + if (mappings.properties != null) { + for (const prop of Object.keys(mappings.properties)) { + fixObjectTypes(mappings.properties[prop]); + } + return; + } + + if (mappings.type === 'object') { + mappings.enabled = false; + } +} + +function getEventLogSchema(ecsSchema) { + return ecsSchema; +} + +function readEcsJSONFile(ecsDir, fileName) { + const contents = readEcsFile(ecsDir, fileName); + + let object; + try { + object = JSON.parse(contents); + } catch (err) { + logError(`ecs file is not JSON: ${fileName}: ${err.message}`); + } + + return object; +} + +function writeGeneratedFile(fileName, contents) { + const genFileName = path.join(PLUGIN_DIR, fileName); + try { + fs.writeFileSync(genFileName, contents); + } catch (err) { + logError(`error writing file: ${genFileName}: ${err.message}`); + } +} + +function readEcsFile(ecsDir, fileName) { + const ecsFile = path.resolve(path.join(ecsDir, fileName)); + + let contents; + try { + contents = fs.readFileSync(ecsFile, { encoding: 'utf8' }); + } catch (err) { + logError(`ecs file not found: ${ecsFile}: ${err.message}`); + } + + return contents; +} + +function getEcsVersion(ecsDir) { + const contents = readEcsFile(ecsDir, 'version').trim(); + if (!contents.match(/^\d+\.\d+\.\d+$/)) { + logError(`ecs is not at a stable version: : ${contents}`); + } + + return contents; +} + +function getEcsDir() { + const ecsDir = path.resolve(path.join(__dirname, '../../../../../ecs')); + + let stats; + let error; + try { + stats = fs.statSync(ecsDir); + } catch (err) { + error = err; + } + + if (error || !stats.isDirectory()) { + logError(`directory not found: ${ecsDir} - did you checkout elastic/ecs as a peer of this repo?`); + } + + return ecsDir; +} + +function logError(message) { + console.log(`error: ${message}`); + process.exit(1); +} + +const SchemaFileTemplate = ` +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +// ---------------------------------- WARNING ---------------------------------- +// this file was generated, and should not be edited by hand +// ---------------------------------- WARNING ---------------------------------- + +// provides TypeScript and config-schema interfaces for ECS for use with +// the event log + +import { schema } from '@kbn/config-schema'; +import { isDate } from 'lodash'; + +export const ECS_VERSION = '%%ECS_VERSION%%'; + +// a typescript interface describing the schema +export interface IEvent %%INTERFACE%% + +// a config-schema describing the schema +export const EventSchema = %%SCHEMA%%; + +interface GeoPoint { + lat: number; + lon: number; +} + +function ecsGeoPoint() { + return schema.maybe( + schema.object({ + lat: schema.number(), + lon: schema.number(), + }) + ); +} + +function ecsString() { + return schema.maybe(schema.oneOf([schema.string(), schema.arrayOf(schema.string())])); +} + +function ecsNumber() { + return schema.maybe(schema.oneOf([schema.number(), schema.arrayOf(schema.number())])); +} + +function ecsOpenObject() { + return schema.maybe(schema.any()); +} + +function ecsDate() { + return schema.maybe(schema.any({ validate: validateDate })); +} + +function validateDate(object: any) { + if (isDate(object)) return; + return 'object is not a date:' + object; +} +`.trim(); + +function getSchemaFileContents(ecsVersion, schemaLines, interfaceLines) { + return SchemaFileTemplate + .replace('%%ECS_VERSION%%', ecsVersion) + .replace('%%SCHEMA%%', schemaLines) + .replace('%%INTERFACE%%', interfaceLines); +} + +// run as a command-line script +if (require.main === module) main(); diff --git a/x-pack/plugins/event_log/scripts/lib/line_writer.js b/x-pack/plugins/event_log/scripts/lib/line_writer.js new file mode 100644 index 000000000000000..2421e16a45d1ac6 --- /dev/null +++ b/x-pack/plugins/event_log/scripts/lib/line_writer.js @@ -0,0 +1,36 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +module.exports = { + createLineWriter, +}; + +class LineWriter { + constructor() { + this._indent = ''; + this._lines = []; + } + + addLine(line) { + this._lines.push(`${this._indent}${line}`); + } + + indent() { + this._indent = `${this._indent} `; + } + + dedent() { + this._indent = this._indent.substr(2); + } + + getContent() { + return this._lines.join('\n'); + } +} + +function createLineWriter() { + return new LineWriter(); +}