search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
103 stars 4.92k forks source link

Support the ingest of the source address and the source port separately #34371

Open narph opened 1 year ago

narph commented 1 year ago

Related https://github.com/elastic/beats/pull/9460 https://github.com/elastic/ecs/pull/247

We have introduced log.source.address for TCP/UDP input which is contains both the IP and the port like 127.0.0.1:8080. However, neither the IP nor the port are collected separately, which means that it usually involves a dissect operation to get either the IP or the port separately for data analysis (e.g. aggregation of unique IPs).

- if.has_fields: [log.source.address]
    then:
      - dissect:
          field: log.source.address
          target_prefix: log.source
          tokenizer: '%{ip}:%{port}'
      - convert:
          ignore_missing: true
          fields:
            - from: log.source.port
              type: integer

Can we consider introducing separate fields for ip/port?

elasticmachine commented 1 year ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

andrewkroh commented 1 year ago

I think these fields should be proposed to be part of ECS before Filebeat implements them.

efd6 commented 1 year ago

I didn't see that log.source wasn't an ECS field. Why are we using it?

andrewkroh commented 1 year ago

I think its usage predates ECS. I don't recall whether anyone proposed added it to ECS in the past. But since Beats are adding fields into the log.* namespace there is a chance of a future collision.

elasticmachine commented 9 months ago

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

elasticmachine commented 9 months ago

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

aleksmaus commented 1 month ago

Hi!

Looks like this ticket is still in our backlog. Trying to understand what to do with this request.

Example of TCP log:

  "log": {
    "source": {
      "address": "127.0.0.1:49666"
    }
  }

It doesn't look like we can change log.source.address anymore, it has to have both host/ip and port. It's not ECS field. It looks like there is a debate about adding more fields under log.source such as ip and port and possible concern about conflicts now or in the future.

Would the addition of ip and port solve this issue?

  "log": {
    "source": {
      "address": "127.0.0.1:49666",
      "ip": "127.0.0.1",
      "port": 49666
    }
  }

What fields should we use instead if above is not acceptable? @andrewkroh

efd6 commented 1 month ago

I think this is not doable. I had a branch to do it somewhen, but the ECS definitions precluded doing it.

aleksmaus commented 1 month ago

I think this is not doable. I had a branch to do it somewhen, but the ECS definitions precluded doing it.

Understood. What is the appropriate resolution to this ticket?

efd6 commented 1 month ago

I think it can be closed, but please check with Andrew.

aleksmaus commented 1 month ago

@andrewkroh please cast your vote.