Aligns closer to the OSI model to cover more cases

elastic · Sep 4, 2018 · 8324db5 · 8324db5
1 parent 3ca1f4b
commit 8324db5
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -288,7 +288,9 @@ Fields related to network data.
 |---|---|---|---|---|
 | <a name="network.name"></a>network.name  | Name given by operators to sections of their network.  | text  |   | `Guest Wifi`  |
 | <a name="network.name.raw"></a>network.name.raw  | Name given by operators to sections of their network.  | keyword  | 1  |   |
-| <a name="network.protocol"></a>network.protocol  | Network protocol name.  | keyword  |   | `http`  |
+| <a name="network.network"></a>network.network  | OSI Layer 3 Network Layer. Examples - IP, ICMP  | keyword  |   | `ip`  |
+| <a name="network.transport"></a>network.transport  | OSI Layer 4 Transport Layer. Examples - TCP, UDP  | keyword  |   | `tcp`  |
+| <a name="network.application"></a>network.application  | OSI Layer 7 Transport Layer. Examples - http, transport, ssh  | keyword  |   | `http`  |
 | <a name="network.direction"></a>network.direction  | Direction of the network traffic.<br/>Recommended values are:<br/>  * inbound<br/>  * outbound<br/>  * unknown  | keyword  |   | `inbound`  |
 | <a name="network.forwarded_ip"></a>network.forwarded_ip  | Host IP address when the source IP address is the proxy.  | ip  |   | `192.1.1.2`  |
 | <a name="network.inbound.bytes"></a>network.inbound.bytes  | Network inbound bytes.  | long  |   | `184`  |

diff --git a/fields.yml b/fields.yml
@@ -768,11 +768,20 @@
               type: keyword
               description: >
                 Name given by operators to sections of their network.
-    
-        - name: protocol
+        - name: network
+          type: keyword
+          description: >
+              OSI Layer 3 Network Layer. Examples - IP, ICMP
+          example: ip
+        - name: transport
+          type: keyword
+          description: >
+              OSI Layer 4 Transport Layer. Examples - TCP, UDP
+          example: tcp
+        - name: application
           type: keyword
           description: >
-            Network protocol name.
+              OSI Layer 7 Transport Layer. Examples - http, transport, ssh
           example: http
         - name: direction
           type: keyword

diff --git a/schema.csv b/schema.csv
@@ -94,16 +94,18 @@ log.level,keyword,0,ERR
 log.line,long,0,18
 log.offset,long,0,12
 log.original,keyword,1,Sep 19 08:26:10 localhost My log
+network.application,keyword,0,http
 network.direction,keyword,0,inbound
 network.forwarded_ip,ip,0,192.1.1.2
 network.inbound.bytes,long,0,184
 network.inbound.packets,long,0,12
 network.name,text,0,Guest Wifi
+network.network,keyword,0,ip
 network.outbound.bytes,long,0,184
 network.outbound.packets,long,0,12
-network.protocol,keyword,0,http
 network.total.bytes,long,0,368
 network.total.packets,long,0,24
+network.transport,keyword,0,tcp
 organization.id,keyword,0,
 organization.name,text,0,
 os.family,keyword,0,debian

diff --git a/schemas/network.yml b/schemas/network.yml
@@ -16,11 +16,20 @@
           type: keyword
           description: >
             Name given by operators to sections of their network.
-
-    - name: protocol
+    - name: network
+      type: keyword
+      description: >
+          OSI Layer 3 Network Layer. Examples - IP, ICMP
+      example: ip
+    - name: transport
+      type: keyword
+      description: >
+          OSI Layer 4 Transport Layer. Examples - TCP, UDP
+      example: tcp
+    - name: application
       type: keyword
       description: >
-        Network protocol name.
+          OSI Layer 7 Transport Layer. Examples - http, transport, ssh
       example: http
     - name: direction
       type: keyword

diff --git a/template.json b/template.json
@@ -495,6 +495,10 @@
         },
         "network": {
           "properties": {
+            "application": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "direction": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -522,6 +526,10 @@
               "norms": false,
               "type": "text"
             },
+            "network": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "outbound": {
               "properties": {
                 "bytes": {
@@ -532,10 +540,6 @@
                 }
               }
             },
-            "protocol": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
             "total": {
               "properties": {
                 "bytes": {
@@ -545,6 +549,10 @@
                   "type": "long"
                 }
               }
+            },
+            "transport": {
+              "ignore_above": 1024,
+              "type": "keyword"
             }
           }
         },
@@ -668,6 +676,7 @@
           "properties": {
             "certificates": {
               "doc_values": false,
+              "ignore_above": 1024,
               "type": "keyword"
             },
             "ciphersuite": {