There's going to be 2 set of patterns provided out-of-the-box that provide around the same functionality (at start).
The existing (legacy) set and an ECS set of patterns - with mostly captures reviewed/renamed for compliance.
Patterns are already logically split by functionality into separate files - good enough to convert the whole set one-by-one :
introduce grok conversions for ES ingest node compatibility (strict :int and :float parsing modes, add :long, :double, :boolean + we could also use an AS style :bool conversion e.g. with bro's T/F flags)
than review patterns
:heavy_check_mark: won't block shipping ECS-ified patterns - we should double check :int capture INT-like values
:white_check_mark: ...:int captures reviewed https://github.com/logstash-plugins/logstash-patterns-core/commit/6dd657b8bff1604439d17e29c8b2d2a9bbd6dd12
need to make sure to set event.original (in grok?) and potentially remove message field before reaching grok
patterns that extract message to keep the field flat (or default to running with overwrite => [ 'message' ]) in ECS mode
type-casting doesn't always work due a grok library bug
this one falls under: https://github.com/logstash-plugins/logstash-filter-grok/issues/157
There's going to be 2 set of patterns provided out-of-the-box that provide around the same functionality (at start). The existing (legacy) set and an ECS set of patterns - with mostly captures reviewed/renamed for compliance.
Patterns are already logically split by functionality into separate files - good enough to convert the whole set one-by-one :
mavenPost TODOs
ship (legacy) pattern updates 4.2.0 before ECS-ified release
check if ECS 1.6 is around with
http.response.mime_typehttps://github.com/logstash-plugins/logstash-patterns-core/pull/270#issuecomment-670012568in the mean time consider renamingUPDATE 1.7 shippedsquid.response.content_typetosquid.response.mime_type?http.[request|response].mime_typeas GA :heavy_check_mark: renamedsquid.response.content_typeat https://github.com/logstash-plugins/logstash-patterns-core/commit/3b8655765c606ae3763ddfcdbbdaea701e82cfbfhost.namevshost.hostnamehttps://github.com/logstash-plugins/logstash-patterns-core/pull/262/files#r459038278 https://github.com/logstash-plugins/logstash-patterns-core/pull/262/files#r504850250 :heavy_check_mark: we'll be usinghostname, users should opt-in toname(due SIEM)introduce grok conversions for ES ingest node compatibility (strict
:intand:floatparsing modes, add:long,:double,:boolean+ we could also use an AS style:boolconversion e.g. with bro'sT/Fflags) than review patterns :heavy_check_mark: won't block shipping ECS-ified patterns - we should double check :int capture INT-like values :white_check_mark:...:intcaptures reviewed https://github.com/logstash-plugins/logstash-patterns-core/commit/6dd657b8bff1604439d17e29c8b2d2a9bbd6dd12need to make sure to set
event.original(in grok?) and potentially removemessagefield before reaching grok patterns that extractmessageto keep the field flat (or default to running withoverwrite => [ 'message' ]) in ECS modetype-casting doesn't always work due a grok library bug
avoid mixed