Convert Filebeat iis.access to ECS#9084
Conversation
ruflin
left a comment
There was a problem hiding this comment.
Add changelog and migration file.
5afd5c5 to
1d16d14
Compare
|
@ruflin Ready for review. |
ruflin
left a comment
There was a problem hiding this comment.
For user_agent problem, see other issue.
There was a problem hiding this comment.
IPORHOST here seems also one of these fields where we should do a follow up PR to make it only IP as otherwise it could break on ingest time.
2de8a2a to
a8e1881
Compare
|
@ruflin I've worked a bit on the user_agent parsing. You were right about the mapping issue. So this is resolved. My work has revealed a few things:
I think there's many ways we can go about this.
|
- iis.access.server_ip => destination.ip - iis.access.remote_ip => source.ip - iis.access.method => http.request.method - iis.access.url => url.path - iis.access.query_string => url.query - iis.access.port => destination.port - iis.access.user_name => user.name - iis.access.referrer => http.request.referrer - iis.access.response_code => http.response.status_code - iis.access.hostname => destination.domain - iis.access.user_agent.original => user_agent.original - iis.access.geoip => source.geo
a8e1881 to
c36be2e
Compare
|
This is ready for a final review. Please make sure to check out the caveat above. I've made sure to list this "breaking" change improvement separately from the ECS transition. |
|
For the version: I prefer the full version string. We had it broken down in an early version of ECS but I didn't see the benefits. Elasticsearch offers prefix queries which means queries for |
ruflin
left a comment
There was a problem hiding this comment.
LGTM. Ready for merge.
For the user_agent decoding: Do we need this only for IIS or also in other modules?
| description: > | ||
| The major version of the operating system. | ||
| type: alias | ||
| path: user_agent.os.major |
There was a problem hiding this comment.
We could probably use script processor to concatenate the version fields. Initially hoped the the join processor would do this but seems it has a different purpose.
There was a problem hiding this comment.
Yeah, but all of this refining needs to go in a shared pipeline. We're not going to duplicate this work everywhere, on the eve of starting to share pipelines ;-)
No, in all of the open source web servers modules I've been working on, the user agent was always a quoted string. None of them needed to encode all the spaces by replacing them with a |
|
Sorry, had missed this comment #9084 (comment) before reading your review. Reconstructing the version string is out of scope for this PR, IMO. The I've added this to #9208 so we don't lose track of this. |
…ccess logs (#9955) - Introduce IPv6 zone workaround iis.access log as well, resolving #9836. - Update the IPv6 zone fix (#9869) for iis.error to use the ECS `.address` field instead of a transient field. - Convert many fields under `iis.error.*` to ECS. Previous field names are field aliases towards the new corresponding ECS field: - iis.error.remote_ip => source.address - iis.error.remote_port => source.port - iis.error.server_ip => destination.address - iis.error.server_port => destination.port - iis.error.http_version => http.version - iis.error.method => http.request.method - iis.error.url => url.original - iis.error.response_code => http.response.status_code - iis.error.geoip.* => source.geo.* - read_timestamp => event.created (not aliased, still used elsewhere) - Update field aliases introduced in #9084 to point to `.address` instead of `.ip`, since this value can be ambiguous. The IP field is populated with the cleaned up IP without the zone. This is also true for the `.ip` fields under populated by the error logs. - iis.access.remote_ip => source.address - iis.access.server_ip => destination.address - Coerce to long: source.port, destination.port and http.response.status_code in the iis.error fileset
Caveats
+signs. Parens and slashes are not replaced, though.urldecodeon it makes it more palatable touser_agentparser.Renames
TODO
user_agentto ECS field namesversionstring :-)