Conversation
This PR is to kick of a discussion around Winlogbeat and ECS migration.
|
@webmat @andrewkroh I kicked this off for the changes in ECS. The part I'm not very clear here is which fields are very event log specific and which ones actually should we map to ECS. Could you have a look and leave your comments? This is not complete yet but should have questions for all the relevant fields. |
| - name: computer_name | ||
| type: keyword | ||
| type: alias | ||
| path: host.name |
There was a problem hiding this comment.
Rather host.hostname. host.name is meant to be overridable.
| - name: process_id | ||
| type: long | ||
| type: alias | ||
| path: process.id |
| - name: event_id | ||
| type: long | ||
| type: alias | ||
| path: event.id |
There was a problem hiding this comment.
This is not the same as ECS event.id (at least in my understanding). This more like an identifier for the log message in the application. For example 1102 is "The audit log was cleared".
There was a problem hiding this comment.
record_number is closer to event.id but it's only unique given some additional constraints. If we wanted to populate event.id I'd do a fast hash of @timestamp + computer_name + log_name + record_number.
| // MapStr. | ||
| func addOptional(m common.MapStr, key string, v interface{}) { | ||
| if m != nil && !isZero(v) { | ||
| m[key] = v |
There was a problem hiding this comment.
A few lines up...
e.TimeCreated.SystemTime is used to populate @timestamp. That's the time the event was originally logged. So it would be nice to populate event.created with the current time.
| type: keyword | ||
| # This does not exist yet | ||
| path: log.name | ||
| type: alias |
There was a problem hiding this comment.
I'd like to understand better the relation between log_name and source_name. Is there a place where we can see sample data? I haven't found anything obvious.
This PR is to kick of a discussion around Winlogbeat and ECS migration.