Skip to content

Update TLS protocol to use ECS fields#9980

Merged
andrewkroh merged 2 commits intoelastic:masterfrom
andrewkroh:feature/pb/tls-ecs-fields
Jan 14, 2019
Merged

Update TLS protocol to use ECS fields#9980
andrewkroh merged 2 commits intoelastic:masterfrom
andrewkroh:feature/pb/tls-ecs-fields

Conversation

@andrewkroh
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh commented Jan 10, 2019
edited
Loading

NOTE: This is based on another open PR so please only review the last commit

That dashboards were updated too. There weren't many changes needed w.r.t. fields
but I did update the visualizations and saved searches to include [Packetbeat] in their
names.

I added a python test case for TLS and discovered a few fields that were not documented
so I updated the fields docs accordingly.

Here's a summary of what fields changed.

Part of #7968

Changed

  • responsetime -> event.duration (unit are now nanoseconds)

Added

  • event.dataset = tls
  • event.end
  • event.start
  • network.community_id
  • network.protocol = tls
  • network.type
  • source.domain (added if there's a SNI value)

Unchanged Packetbeat Fields

  • status
  • type = http (we might remove this since we have event.dataset)

@andrewkroh andrewkroh requested review from a team as code owners January 10, 2019 03:07
@andrewkroh andrewkroh force-pushed the feature/pb/tls-ecs-fields branch from 8ddda5b to bca0bfd Compare January 10, 2019 03:07
@andrewkroh andrewkroh force-pushed the feature/pb/tls-ecs-fields branch from bca0bfd to 96d4f34 Compare January 10, 2019 06:02
adriansr
adriansr approved these changes Jan 10, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the improvements and new tests!

packetbeat/_meta/kibana/6/dashboard/Packetbeat-tls.json Outdated
Copy link
Copy Markdown
Contributor

@adriansr adriansr Jan 10, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess I added this to the dashboard while creating it. Can you remove it?

Copy link
Copy Markdown
Member Author

@andrewkroh andrewkroh Jan 10, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@andrewkroh andrewkroh force-pushed the feature/pb/tls-ecs-fields branch from 96d4f34 to fbb8a1a Compare January 10, 2019 15:26
@andrewkroh
Update TLS protocol to use ECS fields
7d67c7c 
That dashboards were updated too. There weren't many changes needed w.r.t. fields
but I did update the visualizations and saved searches to include `[Packetbeat]` in their
names.

I added a python test case for TLS and discovered a few fields that were not documented
so I updated the fields docs accordingly.

Here's a summary of what fields changed.

Part of elastic#7968

Changed

- responsetime -> event.duration (unit are now nanoseconds)

Added

- event.dataset = tls
- event.end
- event.start
- network.community_id
- network.protocol = tls
- network.type
- source.domain (added if there's a SNI value)

Unchanged Packetbeat Fields

- status
- type = http (we might remove this since we have event.dataset)
@andrewkroh
Update TLS Session Resume to remove xxx-nope
e0c1a4f
@andrewkroh andrewkroh force-pushed the feature/pb/tls-ecs-fields branch from fbb8a1a to e0c1a4f Compare January 10, 2019 15:28
@andrewkroh andrewkroh merged commit c956b80 into elastic:master Jan 14, 2019
@andrewkroh andrewkroh mentioned this pull request Jan 24, 2019
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@adriansr adriansr adriansr approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ecs Packetbeat review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andrewkroh @adriansr