From 9c10f5ef41e25678c941f835950fb8617872b56e Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Fri, 2 Nov 2018 16:42:50 -0400 Subject: [PATCH 1/2] Revised network.* with IANA and application --- README.md | 6 +++++- fields.yml | 36 +++++++++++++++++++++++++++++++++++- schema.csv | 4 ++++ schemas/network.yml | 36 +++++++++++++++++++++++++++++++++++- template.json | 16 ++++++++++++++++ 5 files changed, 95 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2c82276ab4..63869c46e7 100644 --- a/README.md +++ b/README.md @@ -282,7 +282,11 @@ Fields related to network data. | Field | Description | Level | Type | Example | |---|---|---|---|---| | network.name | Name given by operators to sections of their network. | extended | keyword | `Guest Wifi` | -| network.protocol | Network protocol name. | core | keyword | `http` | +| network.type | In the OSI Model this would be the Network Layer. | core | keyword | `IPV4` | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which log using the IANA Protocol Number. | extended | keyword | `6` | +| network.transport | Same as network.iana_number, but instead using the Keyword name. | core | keyword | `IPv6-ICMP` | +| network.application | A name given to an application. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. | extended | keyword | `AIM` | +| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol | core | keyword | `http` | | network.direction | Direction of the network traffic.
Recommended values are:
* inbound
* outbound
* unknown | core | keyword | `inbound` | | network.forwarded_ip | Host IP address when the source IP address is the proxy. | core | ip | `192.1.1.2` | | network.inbound.bytes | Network inbound bytes. | core | long | `184` | diff --git a/fields.yml b/fields.yml index 8ee21f675e..a5f8d2a301 100644 --- a/fields.yml +++ b/fields.yml @@ -826,11 +826,45 @@ Name given by operators to sections of their network. example: Guest Wifi + - name: type + level: core + type: keyword + description: > + In the OSI Model this would be the Network Layer. + example: IPV4 + + - name: iana_number + level: extended + type: keyword + description: > + IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). + Standardized list of protocols. This aligns well with NetFlow and + sFlow related logs which log using the IANA Protocol Number. + example: 6 + + - name: transport + level: core + type: keyword + description: > + Same as network.iana_number, but instead using the Keyword name. + example: IPv6-ICMP + + - name: application + level: extended + type: keyword + description: > + A name given to an application. This can be arbitrarily assigned for + things like microservices, but also apply to things like skype, icq, + facebook, twitter. This would be used in situations where the vendor + or service can be decoded such as from the source/dest IP owners, + ports, or wire format. + example: AIM + - name: protocol level: core type: keyword description: > - Network protocol name. + L7 Network protocol name. ex. http, lumberjack, transport protocol example: http - name: direction diff --git a/schema.csv b/schema.csv index a93f23c3db..67ebd2f2ba 100644 --- a/schema.csv +++ b/schema.csv @@ -86,8 +86,10 @@ http.response.status_code,long,extended,404 http.version,keyword,extended,1.1 log.level,keyword,core,ERR log.original,keyword,core,Sep 19 08:26:10 localhost My log +network.application,keyword,extended,AIM network.direction,keyword,core,inbound network.forwarded_ip,ip,core,192.1.1.2 +network.iana_number,keyword,extended,6 network.inbound.bytes,long,core,184 network.inbound.packets,long,core,12 network.name,keyword,extended,Guest Wifi @@ -96,6 +98,8 @@ network.outbound.packets,long,core,12 network.protocol,keyword,core,http network.total.bytes,long,core,368 network.total.packets,long,core,24 +network.transport,keyword,core,IPv6-ICMP +network.type,keyword,core,IPV4 organization.id,keyword,extended, organization.name,keyword,extended, os.family,keyword,extended,debian diff --git a/schemas/network.yml b/schemas/network.yml index e78c6761a0..92de28cca7 100644 --- a/schemas/network.yml +++ b/schemas/network.yml @@ -14,11 +14,45 @@ Name given by operators to sections of their network. example: Guest Wifi + - name: type + level: core + type: keyword + description: > + In the OSI Model this would be the Network Layer. + example: IPV4 + + - name: iana_number + level: extended + type: keyword + description: > + IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). + Standardized list of protocols. This aligns well with NetFlow and + sFlow related logs which log using the IANA Protocol Number. + example: 6 + + - name: transport + level: core + type: keyword + description: > + Same as network.iana_number, but instead using the Keyword name. + example: IPv6-ICMP + + - name: application + level: extended + type: keyword + description: > + A name given to an application. This can be arbitrarily assigned for + things like microservices, but also apply to things like skype, icq, + facebook, twitter. This would be used in situations where the vendor + or service can be decoded such as from the source/dest IP owners, + ports, or wire format. + example: AIM + - name: protocol level: core type: keyword description: > - Network protocol name. + L7 Network protocol name. ex. http, lumberjack, transport protocol example: http - name: direction diff --git a/template.json b/template.json index 7930e19163..b381f130b4 100644 --- a/template.json +++ b/template.json @@ -429,6 +429,10 @@ }, "network": { "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, "direction": { "ignore_above": 1024, "type": "keyword" @@ -436,6 +440,10 @@ "forwarded_ip": { "type": "ip" }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, "inbound": { "properties": { "bytes": { @@ -473,6 +481,14 @@ "type": "long" } } + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } } }, From f28946844402fb04fa8fe7817a196c4b39f1fbed Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Fri, 2 Nov 2018 16:45:28 -0400 Subject: [PATCH 2/2] Adds additional network.type examples --- README.md | 2 +- fields.yml | 2 +- schemas/network.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 63869c46e7..5ff8891d7b 100644 --- a/README.md +++ b/README.md @@ -282,7 +282,7 @@ Fields related to network data. | Field | Description | Level | Type | Example | |---|---|---|---|---| | network.name | Name given by operators to sections of their network. | extended | keyword | `Guest Wifi` | -| network.type | In the OSI Model this would be the Network Layer. | core | keyword | `IPV4` | +| network.type | In the OSI Model this would be the Network Layer. IPv4, IPV6, IPSec, PIM, etc | core | keyword | `IPV4` | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which log using the IANA Protocol Number. | extended | keyword | `6` | | network.transport | Same as network.iana_number, but instead using the Keyword name. | core | keyword | `IPv6-ICMP` | | network.application | A name given to an application. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. | extended | keyword | `AIM` | diff --git a/fields.yml b/fields.yml index a5f8d2a301..5d843c3076 100644 --- a/fields.yml +++ b/fields.yml @@ -830,7 +830,7 @@ level: core type: keyword description: > - In the OSI Model this would be the Network Layer. + In the OSI Model this would be the Network Layer. IPv4, IPV6, IPSec, PIM, etc example: IPV4 - name: iana_number diff --git a/schemas/network.yml b/schemas/network.yml index 92de28cca7..1857e21285 100644 --- a/schemas/network.yml +++ b/schemas/network.yml @@ -18,7 +18,7 @@ level: core type: keyword description: > - In the OSI Model this would be the Network Layer. + In the OSI Model this would be the Network Layer. IPv4, IPV6, IPSec, PIM, etc example: IPV4 - name: iana_number