Mpdreamz
commented
1 month ago Hi @thompson-tomo thanks for the PR.
The ecs categorization fields should be empty by default as per: https://www.elastic.co/guide/en/ecs/current/ecs-category-field-values-reference.html
If your events don’t match any of these categorization values, you should leave the fields empty. This will ensure you can start populating the fields once the appropriate categorization values are published, in a later release.If someone wants event.kind to be event by default I think they have to actively choose to do so themselves.
With this change the logs will now default to be being recorded as having the event kind of event which is the most common.
Closes #398