[Packetbeat] - Change field names to follow ECS #7968
Description
For the next major release we want to change some of the common field names in Packetbeat to follow the Elastic Common Schema (ECS). This will make it much easier to query data related data from different sources.
We should break this task down into smaller pieces that are easily reviewable. Perhaps something like this.
- Map the fields to ECS in a spreadsheet and review.
- Map the common fields that shared by all protocols (e.g.
ip,client_ip, etc.) - Map Packetbeat flow data
- Map the protocols that are commonly used in security analytics (e.g. dns, tls, http, icmp).
- Check the application protocols to see if there are any fields that can be mapped to ECS.
- Map the common fields that shared by all protocols (e.g.
- Convert one protocol at a time including updating dashboards.
- Flows Convert Packetbeat Flows to ECS #9121
- Process Info [Packetbeat] Restructure client/server and process fields #9303
- Client / Server [Packetbeat] Restructure client/server and process fields #9303
- Populated source and destination when client/server are used.
- Network metrics
- Direction (in/out -> incoming/outgoing)
- Dashboards
- Documentation examples
- Evaluate what fields for 6.6 should receive forward looking aliases (like ip -> server.ip)
Protocol Change Pull Requests
- AMQP Update AMQP protocol to use ECS fields #10090
- Cassandra Update Cassandra protocol to use ECS fields #10093
- DHCPv4 Update DHCPv4 protocol to use ECS fields #10089
- DNS [Packetbeat] Update DNS protocol to use ECS fields #9941
- Removed trailing dot from domain names reported by the DNS protocol.
- HTTP Update HTTP protocol to use ECS fields #9976
- ICMP Update ICMP protocol to use ECS fields #10062
- Memcache Update Memcache protocol to use ECS fields #10189
- MongoDB Update MongoDB protocol to use ECS fields #10158
- MySQL Update MySQL protocol to use ECS fields #10155
- NFS Update NFS protocol to use ECS fields #10153
- Redis Update Redis protocol to use ECS fields #10126
- TLS Update TLS protocol to use ECS fields #9980
- Thrift Update Thrift protocol to use ECS fields #10125
- pgSQL Update pgSQL protocol to use ECS fields #10147