[Packetbeat] Update DNS protocol to use ECS fields#9941
[Packetbeat] Update DNS protocol to use ECS fields#9941andrewkroh merged 8 commits intoelastic:masterfrom
Conversation
ruflin
left a comment
There was a problem hiding this comment.
Could you add a changelog entry and update ecs-migration.yml. I assume also some updates to fields.yml for dns are needed?
NOTICE.txt
Outdated
There was a problem hiding this comment.
My first though was to fix it to Beta2 but at this stage the go code was not in yet :-(
There was a problem hiding this comment.
Luckily the code generated from this commit is exactly the same as what would be in beta2 if I backported (I started a backport and realized they’d be the same).
|
The are no changes needed to fields.yml in this PR. When I finish updating the last protocol in Packetbeat then there should be several updates to removing unused fields. And then I can add aliases to ecs-migration.yml. None of the DNS specific fields were changed. I’ll update the changelog. |
|
CHANGELOG.next is now updated. |
|
As far as I can see for example For the What we often do in these ECS migration PR's is also having in the PR description the list of fields which we renamed. |
Update NOTICE
This updates the DNS protocol to have more closely follow ECS. The DNS tunneling dashboard has been updated to work with the new field names. In order to better interoperate with other data sources the trailing dot has been removed from domain names. For example, previously Packetbeat would produce `dns.question.name:elastic.co.` and now it will simply produce `dns.question.name:elastic.co`. It's a breaking change but it will be make it easier to pivot with other data sources. Part of elastic#7968 Here's a summary of what fields changed. Changed - bytes_in -> source.bytes - bytes_out -> destination.bytes - notes -> error.message - responsetime -> event.duration (unit are now nanoseconds) - transport -> network.transport Added - event.end - event.start - network.bytes - network.community_id - network.protocol = dns - network.transport = udp/tcp - network.type Unchanged Packetbeat Fields - method - dns opcode - query = class {{ dns.question.class }}, type {{ dns.question.type }}, {{ dns.question.name }} - request - text representation of the entire request - response - text representation of the entire response - resource - dns.question.name - status - type = dns (we might remove this since we have event.dataset)
No aliases yet because these fields are still used.
7d7e585 to
eca5b23
Compare
|
@ruflin I added a few fields to ecs-migration.yml (all with Can you please take another look. |
There was an ID collision over the `DNS` ID.
8c38eda to
44d02fa
Compare
With low resolution timers on Windows it's very possible that an event can have an event.duration=0 and we want to send that field when this occurs.
44d02fa to
6b17673
Compare
ruflin
left a comment
There was a problem hiding this comment.
LGTM
We normally don't rename the fields in the dashboard as I was hoping to do this with a script all at once. But it should not cause any issue if we have some dashboards already renamed. Good to go.
Thanks for the detailed PR description.
This updates the DNS protocol to have more closely follow ECS.
The DNS tunneling dashboard has been updated to work with the new
field names.
In order to better interoperate with other data sources the trailing dot
has been removed from domain names. For example, previously Packetbeat
would produce
dns.question.name:elastic.co.and now it will simply producedns.question.name:elastic.co. It's a breaking change but it will be make iteasier to pivot with other data sources.
Part of #7968
Here's a summary of what fields changed.
Changed
Added
Unchanged Packetbeat Fields