search

elastic / ecs

Elastic Common Schema
https://www.elastic.co/what-is/ecs
Apache License 2.0
987 stars 410 forks source link

CEF Fields #1870

Open fgierlinger opened 2 years ago

fgierlinger commented 2 years ago

Summary The Logstash documentation of the CEF codec is referencing to CEF ECS fields (cef.name and cef.version to name a few). Since the documentation refers to them as "ECS Field" they should also be defined in the ECS.

Motivation: Provide all fields referenced as "ECS Field" through the ECS repository.

Detailed Design: All field names currently referenced in the Logstash CEF Codec documentation are:

[cef][version]
[cef][name]
[cef][agent][registered_domain]
[cef][agent][registered_domain]
[cef][agent][timezone]
[cef][agent][nat][ip]
[cef][agent][translated_zone][external_id]
[cef][agent][translated_zone][uri]
[cef][agent][zone][external_id]
[cef][agent][zone][uri]
[cef][base_event_count]
[cef][device_type]
[cef][destination][translated_zone][external_id]
[cef][destination][translated_zone][uri]
[cef][destination][zone][external_id]
[cef][destination][zone][uri]
[cef][device_custom_floating_point_1][value]
[cef][device_custom_floating_point_1][label]
[cef][device_custom_floating_point_2][value]
[cef][device_custom_floating_point_2][label]
[cef][device_custom_floating_point_3][value]
[cef][device_custom_floating_point_3][label]
[cef][device_custom_floating_point_4][value]
[cef][device_custom_floating_point_4][label]
[cef][device_custom_floating_point_5][value]
[cef][device_custom_floating_point_5][label]
[cef][device_custom_floating_point_6][value]
[cef][device_custom_floating_point_6][label]
[cef][device_custom_floating_point_7][value]
[cef][device_custom_floating_point_7][label]
[cef][device_custom_floating_point_8][value]
[cef][device_custom_floating_point_8][label]
[cef][device_custom_floating_point_9][value]
[cef][device_custom_floating_point_9][label]
[cef][device_custom_floating_point_10][value]
[cef][device_custom_floating_point_10][label]
[cef][device_custom_floating_point_11][value]
[cef][device_custom_floating_point_11][label]
[cef][device_custom_floating_point_12][value]
[cef][device_custom_floating_point_12][label]
[cef][device_custom_floating_point_13][value]
[cef][device_custom_floating_point_13][label]
[cef][device_custom_floating_point_14][value]
[cef][device_custom_floating_point_14][label]
[cef][device_custom_floating_point_15][value]
[cef][device_custom_floating_point_15][label]
[cef][device_custom_ipv6_address_1][value]
[cef][device_custom_ipv6_address_1][label]
[cef][device_custom_ipv6_address_2][value]
[cef][device_custom_ipv6_address_2][label]
[cef][device_custom_ipv6_address_3][value]
[cef][device_custom_ipv6_address_3][label]
[cef][device_custom_ipv6_address_4][value]
[cef][device_custom_ipv6_address_4][label]
[cef][device_custom_ipv6_address_5][value]
[cef][device_custom_ipv6_address_5][label]
[cef][device_custom_ipv6_address_6][value]
[cef][device_custom_ipv6_address_6][label]
[cef][device_custom_ipv6_address_7][value]
[cef][device_custom_ipv6_address_7][label]
[cef][device_custom_ipv6_address_8][value]
[cef][device_custom_ipv6_address_8][label]
[cef][device_custom_ipv6_address_9][value]
[cef][device_custom_ipv6_address_9][label]
[cef][device_custom_ipv6_address_10][value]
[cef][device_custom_ipv6_address_10][label]
[cef][device_custom_ipv6_address_11][value]
[cef][device_custom_ipv6_address_11][label]
[cef][device_custom_ipv6_address_12][value]
[cef][device_custom_ipv6_address_12][label]
[cef][device_custom_ipv6_address_13][value]
[cef][device_custom_ipv6_address_13][label]
[cef][device_custom_ipv6_address_14][value]
[cef][device_custom_ipv6_address_14][label]
[cef][device_custom_ipv6_address_15][value]
[cef][device_custom_ipv6_address_15][label]
[cef][device_custom_number_1][value]
[cef][device_custom_number_1][label]
[cef][device_custom_number_2][value]
[cef][device_custom_number_2][label]
[cef][device_custom_number_3][value]
[cef][device_custom_number_3][label]
[cef][device_custom_number_4][value]
[cef][device_custom_number_4][label]
[cef][device_custom_number_5][value]
[cef][device_custom_number_5][label]
[cef][device_custom_number_6][value]
[cef][device_custom_number_6][label]
[cef][device_custom_number_7][value]
[cef][device_custom_number_7][label]
[cef][device_custom_number_8][value]
[cef][device_custom_number_8][label]
[cef][device_custom_number_9][value]
[cef][device_custom_number_9][label]
[cef][device_custom_number_10][value]
[cef][device_custom_number_10][label]
[cef][device_custom_number_11][value]
[cef][device_custom_number_11][label]
[cef][device_custom_number_12][value]
[cef][device_custom_number_12][label]
[cef][device_custom_number_13][value]
[cef][device_custom_number_13][label]
[cef][device_custom_number_14][value]
[cef][device_custom_number_14][label]
[cef][device_custom_number_15][value]
[cef][device_custom_number_15][label]
[cef][device_custom_string_1][value]
[cef][device_custom_string_1][label]
[cef][device_custom_string_2][value]
[cef][device_custom_string_2][label]
[cef][device_custom_string_3][value]
[cef][device_custom_string_3][label]
[cef][device_custom_string_4][value]
[cef][device_custom_string_4][label]
[cef][device_custom_string_5][value]
[cef][device_custom_string_5][label]
[cef][device_custom_string_6][value]
[cef][device_custom_string_6][label]
[cef][device_custom_string_7][value]
[cef][device_custom_string_7][label]
[cef][device_custom_string_8][value]
[cef][device_custom_string_8][label]
[cef][device_custom_string_9][value]
[cef][device_custom_string_9][label]
[cef][device_custom_string_10][value]
[cef][device_custom_string_10][label]
[cef][device_custom_string_11][value]
[cef][device_custom_string_11][label]
[cef][device_custom_string_12][value]
[cef][device_custom_string_12][label]
[cef][device_custom_string_13][value]
[cef][device_custom_string_13][label]
[cef][device_custom_string_14][value]
[cef][device_custom_string_14][label]
[cef][device_custom_string_15][value]
[cef][device_custom_string_15][label]
[cef][category]
[cef][nt_domain]
[cef][payload_id]
[cef][translated_zone][external_id]
[cef][translated_zone][uri]
[cef][zone][external_id]
[cef][zone][uri]
[cef][external_id]
[cef][old_file][created]
[cef][old_file][hash]
[cef][old_file][inode]
[cef][old_file][mtime]
[cef][old_file][name]
[cef][old_file][path]
[cef][old_file][group]
[cef][old_file][size]
[cef][old_file][extension]
[cef][request][cookies]
[cef][source][translated_zone][external_id]
[cef][source][translated_zone][uri]
[cef][source][zone][external_id]
[cef][source][zone][uri]
[cef][type]
ebeahan commented 2 years ago

Even though the Logstash docs refer to the cef.* fields as part of ECS, I think they're intended to be custom fields populated alongside ECS. It's recommended to place custom fields into a namespace using a proper name when mapping to ECS.

@kares @yaauie @karenzone Is my viewpoint correct here? Should the CEF plugin doc somehow distinguish between ECS-defined and custom fields?

yaauie commented 2 years ago

While ECS does specify a specific set of interoperable fields, it also "provides a set of naming guidelines for adding custom fields", and it is in this sense that the cef-prefixed fields are fields that comply with the guidance of ECS for custom fields and so I consider them "ECS Fields".

I'm not sure if it would add noise or clarity to change the heading column of those two tables from "ECS Field" to "ECS Compatible Field"?

Or perhaps to add a qualifying statement:

 When decoding in an ECS Compatibility mode, the ECS Fields are populated from
 the corresponding CEF Field Names or CEF Keys found in the payload’s extensions.
+Fields that do not have a formal ECS definition are expanded into the `cef` namespace
+to avoid clashing with non-CEF fields.
ebeahan commented 2 years ago

While ECS does specify a specific set of interoperable fields, it also "provides a set of naming guidelines for adding custom fields", and it is in this sense that the cef-prefixed fields are fields that comply with the guidance of ECS for custom fields and so I consider them "ECS Fields".

Yes, ECS defines both a set of standard fields and guidance on how events should be structured.

I understand how users see cef.* ECS fields documented and may expect a cef.* field set to exist in ECS. So I'd vote to add a statement that the cef.* fields use a custom namespace.

leehinman commented 2 years ago

Just for context. The beats cef module has the cef.extensions as custom namespace https://github.com/elastic/beats/blob/8.2/x-pack/filebeat/module/cef/log/_meta/fields.yml#L223 and the beats decode_cef processor maps numerous cef fields to their ECS equivalents https://github.com/elastic/beats/blob/d045c17ff9146add9bb26072c2c1b535b8886d69/x-pack/filebeat/processors/decode_cef/keys.ecs.go#L20