New field event.provider

[vbohata]

I have multiple log types with field named like "source" which is some component/provider of the log. If possible I use non-ECS event.logger field but in fact it is not usable here (logger can be some part of application like class/module itself). I noticed in https://github.com/elastic/beats/pull/10333/files it is named winlog.provider_name but it should be more general and part of ECS because Windows Event log is not the only log type which uses it. So I propose to add "event.provider" field.

[webmat]

Yes, winlog.provider_name is just reusing the Windows Event Log terminology as is, it's not an ECS field yet. What you're suggesting is interesting.

I think it would also map well to Syslog's "programname" field. In the Beats 7.0 migration to ECS, we mapped it to process.name, which is kid of accurate, but not always (e.g. kernel messages).

We'll take this into consideration in the next batch of updates we do to ECS.

[webmat]

@vbohata #439 👀

event.provider as you suggested :-)