All notable changes to this project will be documented in this file based on the Keep a Changelog Standard. This project adheres to Semantic Versioning.
- Remove
expected_valuesfromthreat.*.indicator.namefields. #2281
- Respect reusable.top_level in Beats generator #2278
- Added
container.security_context.privilegedto indicated whether a container was started in privileged mode. #2219, #2225, #2246 - Added
process.thread.capabilities.permittedto contain the current thread's possible capabilities. #2245 - Added
process.thread.capabilities.effectiveto contain the current thread's effective capabilities. #2245
- Permit
ignore_aboveif explicitly set on aflattenedfield. #2248
- Improved documentation formatting to better follow the contributing guide. #2226
- Bump
gitpythondependency from 3.1.30 to 3.1.35 for security fixes. #2251, #2264, #2265
- Added
process.vpidfor namespaced process ids. #2211
- Removed
faas.trigger: nestedsince we only have one trigger. #2194
- Add
event.type: accessas an allowed value forevent.category: file. #2174 - Add
orchestrator.resource.annotationandorchestrator.resource.label. #2181 - Add
event.kind: assetas a beta category. #2191
- Add
parametersproperty for field definitions, to provide any mapping parameter. #2084
- remove duplicated
client.domaindefinition #2120
- adding
namefield tothreat.indicator#2121 - adding
apioption toevent.category#2147 - adding
libraryoption toevent.category#2154
- description for
host.namedefinition updated to encourage use of FDQN #2122
- Updated usage docs to include
threat.indicator.url.domainand changedindicator.marking.tlpandindicator.enrichments.marking.tlpfrom "WHITE" to "CLEAR" to align with TLP 2.0. #2124 - Bump
gitpythonfrom3.1.27to3.1.30in/scripts. #2139
- Fixing
tlp_versionandtlpfield for threat. #2156
- Adding
vulnerabilityoption forevent.category. #2029 - Added
device.*field set as beta. #2030 - Added
tlp.versionto threat #2074 - Added fields for executable object format metadata for ELF, Mach-O and PE #2083
- Added
CLEARandAMBER+STRICTas valid values forthreat.indicator.marking.tlpandenrichments.indicator.marking.tlpto accept new TLP 2.0 markings #2022, #2074
- Fixes invalid
numbertype on 4process.iosubfields. #2105
- Fix type of
normalizeinprocess.io.bytes_skipped. #2094
- Adding
risk.*fields as experimental. #1994, #2010 - Adding
process.io.*as beta fields. #1956, #2031 - Adding
process.tty.rowsandprocess.tty.columnsas beta fields. #2031 - Changed
process.env_varsfield type to be an array of keywords. #2038 process.attested_userandprocess.attested_groupsas beta fields. #2050- Added
risk.*fieldset to beta. #2051, #2058 - Moved Linux event model fields to GA. #2082
- Advances
threat.enrichments.indicatorto GA. #1928 - Added
iosandandroidas valid values foros.type#1999
- Added Deprecation Warning for
misspelltask #1993 - Fix typo in client schema #2014
- Initial set of
expected_values. #1962 - Adding
service.node.roles. #1981
- Introduce
expected_valuesattribute. #1952
- Additional type annotations. #1950
- Deprecate
service.node.rolein favor of upcomingservice.node.roles. #1976
- Added
patternattribute to.macfields. #1871 - Add
orchestrator.cluster.id#1875 - Add
orchestrator.resource.id#1878 - Add
orchestrator.resource.parent.type#1889 - Add
orchestrator.resource.ip#1889 - Add
container.image.hash.all#1889 - Add
service.node.role#1916 - Advanced
container.*metric fields to GA. #1927
- Adding missing process fields for documentation. #1906
- Add type hints to
schemamodules. #1771 - Support
docs_onlyparam to subset defs. #1909
- Add beta
container.*metric fields. #1789 - Add six new syslog fields to
log.syslog.*. #1793 - Added
faas.id,faas.nameandfaas.versionfields as beta. #1796 - Added linux event model beta fields and reuses to support RFC 0030. #1842, #1847, #1884
- Added
threat.feed.dashboard_id,threat.feed.description,threat.feed.name,threat.feed.referencefields. #1844
email.*field set now GA. #1794, #1841
- Adding optional field attribute,
pattern. #1834 - Added support for re-using a fieldset as an array. #1838
- Added
--force-docsoption to generator. #1879
- Update refs from master to main in USAGE.md etc #1658
- Clean up trailing spaces and additional newlines in schemas #1667
- Use higher compression as default in composable index template settings. #1712
- Added two new fields (sha384,tlsh) to hash schema and one field to pe schema (pehash). #1678
- Added
email.*beta field set. ##1688, #1705
- Removing
process.target.*reuses from experimental schema. #1666 - Removing RFC 0014
pe.*fields from experimental schema. #1670
- Fix invalid documentation link generation in component templates
_meta. #1728
- Update refs from master to main in USAGE.md etc #1658
- Clean up trailing spaces and additional newlines in schemas #1667
- Use higher compression as default in composable index template settings. #1712
- Bump dependencies. #1782
- Pin
markupsafe==2.0.1to resolveImportErrorexception. #1804
- Remove
host.user.*field reuse. #1439 - Remove deprecation notice on
http.request.method. #1443 - Migrate
log.origin.file.linefromintegertolong. #1533 - Remove
log.originalfield. #1580 - Remove
process.ppidfield. #1596
- Added
faas.*field set as beta. #1628, #1755
- Wildcard type field migration GA. #1582
match_only_texttype field migration GA. #1584- Threat indicator fields GA from RFC 0008. #1586
- Removing deprecated --oss from generator #1404
- Removing use-cases directory #1405
- Remove Go code generator. #1567
- Remove template generation for ES6. #1680
- Update folder structure for generated ES artifacts. #1700, #1762
- Updated support for overridable composable settings template. #1737
- Align input options for --include and --subset arguments #1519
- Remove remaining Go deps after removing Go code generator. #1585
- Add explicit
default_field: truefor Beats artifacts. #1633 - Reorganize docs directory structure. #1679
- Added support for
analyzerdefinitions for text fields. #1737 - Adding release notes section into ECS docs. #1800
- Fixed the
default_fieldflag for root fields in Beats generator. #1711
- Add
objectas fallback forflattenedtype. #1653
- Updating
x509order to correct nesting. ##1621
- Updating
hashorder to correct nesting. #1603 - Removing incorrect
hashreuses. #1604 - Updating
peorder to correct nesting. #1605 - Removing incorrect
pereuses. #1606 - Correcting
enrichmentsto anarraytype. #1608
- Added
file.fork_namefield. #1288 - Added
service.addressfield. #1537 - Added
service.environmentas a beta field. #1541 - Added
process.endfield. #1544 - Added container metric fields into experimental schema. #1546
- Add
code_signature.digest_algorithmandcode_signature.timestampfields. #1557 - Add
email.*field set in the experimental fields. #1569
- Beta migration on some
keywordfields towildcard. #1517 - Promote
threat.software.*andthreat.group.*fields to GA. #1540 - Update
user.nameanduser.idexamples for clarity. #1566 - Beta migration of
textand.textmulti-fields tomatch_only_text. #1532, #1571
- Support ES 6.x type fallback for
match_only_textfield types. #1528
- Prevent failure if no files need to be deleted
find | xargs rm. #1588
- Document field type family interoperability in FAQ. #1591
elf.*field set added as beta. #1410- Remove
betafromorchestratorfield set. #1417 - Extend
threat.*field set beta. #1438 - Added
event.agent_id_statusfield. #1454 process.targetandprocess.target.parentadded to experimental schema. #1467- Threat indicator fields progress to beta stage. #1471, #1504
threat.enrichmentsbeta fields. #1478, #1504
- Fix ecs GitHub repo link source branch #1393
- Add --exclude flag to Generator to support field removal testing #1411
- Explicitly include user identifiers in
relater.userdescription. #1420 - Improve descriptions for
cloud.regionandcloud.availabilityfields. #1452 - Clarify
event.kinddescriptions foralertandsignal. #1548
- Note deprecation of the
host.user.*field reuse. #1422 - Note deprecation of
log.originalsuperseded byevent.original#1469
- Remove
ignore_abovewhenindex: falseanddoc_values: false. #1483 - Ensure
doc_valuesis carried into Beats artifacts. #1488
- Support
match_only_textdata type in Go code generator. #1418 - Support for multi-level, self-nestings. #1459
betaattribute now supported on categorization allowed values. #1511
- Swap
LocationandField Setcolumns inField Reusetable for better readability. #1472, #1476 - Use a bullet points to list field reuses. #1473
- Improve wording in
Threatschema #1505
- Add
data_streamfieldset. #1307 - Add
orchestratorfieldset as beta fields. #1326 - Extend
threat.*experimental fields with proposed changes from RFC 0018. #1344, #1351 - Allow custom descriptions for self-nesting reuses via
short_override#1366
- Updated descriptions to use Elastic Security #1305
- Host metrics fields from RFC 0005 are now GA. #1319
- Adjustments to the field set "usage" docs #1345
- Adjustments to the sidebar naming convention for usage and examples docs #1354
- Update
user.*field reuse descriptions. #1382
- Correcting fieldset name capitalization for generated ES template #1323
- Support
nestedtypes in go code generator. #1254, #1350 - Go code generator now supports the
flatteneddata type. #1302 - Adjustments to use terminology that doesn't have negative connotation. #1315
- Added
hash.ssdeep. #1169 - Added
cloud.service.name. #1204 - Added
http.request.id. #1208 data_stream.*fieldset introduced in experimental schema and artifacts. #1215- Added
geo.timezone,geo.postal_code, andgeo.continent_code. #1229 - Added
betahost metrics fields. #1248 - Added
code_signature.team_id,code_signature.signing_id. #1249 - Extended
pefields added to experimental schema. #1256 - Add
elffieldset to experimental schema. #1261 - Add
threat.indicatorfields to experimental schema. #1268
- Include formatting guidance and examples for MAC address fields. #456
- New section in ECS detailing event categorization fields usage. #1242
user.changes.*,user.effective.*, anduser.target.*field reuses are GA. #1271
- Update Python dependencies #1310, #1318
- Adjustments to use terminology that doesn't have negative connotation. #1315
- Clean up
event.referencedescription. #1181 - Go code generator fails if
scaled_floattype is used. #1250
- Added
event.category"registry". #1040 - Added
event.category"session". #1049 - Added usage documentation for
userfields. #1066 - Added
userfields atuser.effective.*,user.target.*anduser.changes.*. #1066 - Added
os.type. #1111
- Event categorization fields GA. #1067
- Note
[and]bracket characters may enclose a literal IPv6 address when populatingurl.domain. #1131 - Reinforce the exclusion of the leading dot from
url.extension. #1151
- Deprecated
host.user.*fields for removal at the next major. #1066
tracingfields should be at root of Beatsfields.ecs.ymlartifacts. #1164
- Added the
pathkey when type isalias, to support the alias field type. #877 - Added support for
scaled_float's mandatory parameterscaling_factor. #1042 - Added ability for --oss flag to fall back
constant_keywordtokeyword. #1046 - Added support in the generated Go source go for
wildcard,version, andconstant_keyworddata types. #1050 - Added support for marking fields, field sets, or field reuse as beta in the documentation. #1051
- Added support for
constant_keyword's optional parametervalue. #1112 - Added component templates for ECS field sets. #1156, #1186, #1191
- Added functionality for merging custom and core multi-fields. #982
- Make all fields linkable directly. #1148
- Added a notice highlighting that the
tracingfields are not nested under the namespacetracing.#1162 - ES 6.x template data types will fallback to supported types. #1171, #1176, #1186
- Add a documentation page discussing the experimental artifacts. #1189
- The
protocolallowed value underevent.typeshould not have theexpected_event_typesdefined. #964 - Clarify the definition of
file.extension(no dots). #1016
- Added Mime Type fields to HTTP request and response. #944
- Added network directions ingress and egress. #945
- Added
threat.technique.subtechniqueto capture MITRE ATT&CK® subtechniques. #951 - Added
configurationas an allowedevent.category. #963 - Added a new directory with experimental artifacts, which includes all changes from RFCs that have reached stage 2. #993, #1053, #1115, #1117, #1118
- Expanded field set definitions for
source.*anddestination.*. #967 - Provided better guidance for mapping network events. #969
- Added the field
.subdomainunderclient,destination,server,sourceandurl, to match its presence atdns.question.subdomain. #981 - Clarified ambiguity in guidance on how to use x509 fields for connections with only one certificate. #1114
- Changed the index pattern of the sample Elasticsearch template from
ecs-*totry-ecs-*to avoid conflicting with Logstash'ecs-logstash-*. #1048
- Addressed issue where foreign reuses weren't using the user-supplied
asvalue for their destination. #960 - Experimental artifacts failed to install due to
event.originalindex setting. #1053
- Introduced
--strictflag to perform stricter schema validation when running the generator script. #937 - Added check under
--strictthat ensures composite types in example fields are quoted. #966 - Added
ignore_aboveandnormalizersupport for keyword multi-fields. #971 - Added
--ossflag for users who want to generate ECS templates for use on OSS clusters. #991
- Field details Jinja2 template components have been consolidated into one template #897
- Add
[discrete]marker before each section header in field details. #989 --refnow loadsexperimental/schemasbased on git ref in addition toschemas. #1063
- Field
registry.data.stringsshould have been marked as an array field. #790
- Added
x509.*field set. #762 - Add architecture and imphash for PE field set. #763
- Added
agent.build.*for extended agent version information. #764 - Added
log.file.pathto capture the log file an event came from. #802 - Added more account and project cloud metadata. #816
- Added missing field reuse of
peatprocess.parent.pe#868 - Added
span.idto the tracing fieldset, for additional log correlation #882 - Added
event.reasonfor the reason why an event's outcome or action was taken. #907 - Added
user.rolesto capture a list of role names that apply to the user. #917
- Removed misleading pluralization in the description of
user.id, it should contain one ID, not many. #801 - Clarified misleading wording about multiple IPs in src/dst or cli/srv. #804
- Improved verbiage about the MITRE ATT&CK® framework. #866
- Removed the default
object_type=keywordthat was being applied toobjectfields. This attribute is Beats-specific. It's still supported, but needs to be set explicitly on a case by case basis now. This default being removed affectsdns.answers,log.syslog,network.inner,observer.egress, andobserver.ingress. #871 - Improved attribute
dashed_nameingenerated/ecs/*.ymlto also replace@with-. #871 - Updated several URLs in the documentation with "example.com" domain. #910
- Deprecate guidance to lowercase
http.request.method#840
- Removed field definitions at the root of documents for fieldsets that
had
reusable.top_level:false. This PR affectsecs_flat.yml, the csv file and the sample Elasticsearch templates. #495, #813 - Removed the
orderattribute from theecs_nested.ymlandecs_flat.ymlfiles. #811 - In
ecs_nested.yml, the array of strings that used to be inreusable.expectedhas been replaced by an array of objects with 3 keys: 'as', 'at' and 'full'. #864 - The subset format now requires
nameandfieldskeys at the top level. #873
- Subsets are created after duplicating reusable fields now so subsets can be applied to each reused instance independently. #753
- Quoted the example for
labelsto avoid YAML interpreting it, and having slightly different results in different situations. #782 - Fix incorrect listing of where field sets are nested in asciidoc, when they are nested deep. #784
- Allow beats output to be generated when using
--includeor--subsetflags. #814 - Field parameter
indexis now correctly populated in the Beats field definition file. #824
- Add support for reusing official fieldsets in custom schemas. #751
- Add full path names to reused fieldsets in
nestingsarray inecs_nested.yml. #803 - Allow shorthand notation for including all subfields in subsets. #805
- Add support for Elasticsearch
enabledfield parameter. #824 - Add
refoption to generator allowing schemas to be built for a specific ECS version. #851 - Add
template-settingsandmapping-settingsoptions to allow override of defaults in generated ES templates. #856 - When overriding ECS field sets via the
--includeflag, it's no longer necessary to duplicate the field set's mandatory attributes. The customizations are merged before validation. #864 - Add ability to nest field sets as another name. #864
- Add ability to nest field sets within themselves (e.g.
process=>process.parent). #864 - New attribute
reused_hereis added inecs_nested.yml. It obsoletes the previous attributenestings, and is able to fully capture details of other field sets reused under this one. #864 - When chained reuses are needed (e.g.
group=>user, thenuser=> many places), it's now necessary to force the order with new attributereusable.order. This attribute is otherwise optional. It's currently only needed forgroup. #864 - There's a new representation of ECS at
generated/ecs/ecs.yml, which is a deeply nested representation of the fields. This file is not in git, as it's only meant for developers working on the ECS tools. #864 - Jinja2 templates now define the doc structure for the AsciiDoc generator. #865
- Intermediate
ecs_flat.ymlandecs_nested.ymlfiles are now generated for each individual subset, in addition to the intermediate files generated for the combined subset. #873
- In
ecs_nested.yml, we're deprecating the attributenestings. It will be removed in a future release. The deprecatednestingsattribute was an array of flat field names describing where fields are nested within the field set. This is replaced with the attributereused_here, which is an array of objects. The new format still lists where the fields are nested via the same flat field name, but also specifies additional information about each field reuse. #864
- Added
dll.*fields #679 - Added
related.hashto keep track of all hashes seen on an event. #711 - Added fieldset for PE metadata. #731
- Added
code_signaturefieldset. #733 - Added missing
hashfields atprocess.parent.hash.*. #739 - Added globally unique identifier
entity_idtoprocessandprocess.parent. #747 - Added interface, vlan, observer zone fields #752
- Added
rule.author,rule.licensefields #754 - Added iam value for
event.categoryand three related values forevent.type. #756 - Added fields
event.referenceandevent.urlto hold link to additional event info/actions. #757 - Added
file.mime_typeto include MIME type information on file structures #760 - Added
event.categoryvalue of network and associatedevent.typevalues. #761
- Temporary workaround for Beats templates'
default_fieldgrowing too big. #687 - Identify which fields should contain arrays of values, rather than scalar values. #727, #661
- Clarified examples and definitions regarding vulnerabilities. #758
- Updated definition of
event.outcomebased on community feedback. #759
- ECS scripts now use Python 3.6+. #674
- schema_reader.py now reliably supports chaining reusable fieldsets together. #722
- Allow the artifact generator to consider and output only a subset of fields. #737
- Add support for reusing fields in places other than the top level of the destination fieldset. #739
- Add support for specifying the directory to write the generated files. #748
- Added default
textanalyzer as a multi-field touser_agent.original. #575 - Added
file.attributes. #611 - Added
file.drive_letter. #620 - Added
rulefields. #665 - Added default
textanalyzer as a multi-field to around 25 more fields. #680 - Added
registry.*fieldset for the Windows registry. #673 - Publish initial list of allowed values for the categorization fields (previously reserved)
event.kind,event.category,event.typeandevent.outcome. #684, #691, #692 - Added
related.user#694
- Fix support for multi-fields. #575
- Removed unnecessary field
tls.server.supported_ciphers. #662
- Added
vulnerability.*fields to represent vulnerability information. #581 - Added
event.ingestedas the ingest timestamp. #582 - Added
package.reference. #585 - Added
package.build_version. #586 - Added
package.type. #587 - Added
host.domainfield. #591 - Added
process.command_line. #599 - Added
process.exit_code. #600 - Added fields in
tls.*to support analysis of TLS protocol events. #606 - Added
process.parent.*. #612 - Added
process.args_count. #615
- Changed the order and column names in the csv. #621
- Removed the file
schema.jsonand the code generating it. #627 - Removed the legacy Elasticsearch template. #629
- Note: The good Elasticsearch templates are available in directory
generated/elasticsearch, this PR only removes an obsolete file.
- Note: The good Elasticsearch templates are available in directory
- Added the "Indexed", "Field_Set" and "Description" columns to the csv. #621
- Added
threat.*fields to apply a taxonomy to events and alerts. #505 - Added fields in
log.*to allow for full Syslog mapping. #525 - Added
package.*to installed software packages. #532 - Added
registered_domaintourl,source,destination,client, andserver. #533 - Added
top_level_domainfield tourl,dns.question,source,destination,client, andserver. #542, #572 - Added
group.domainfield. #547 - Added
url.extension. #551, #573 - Added
observer.nameandobserver.product. #557, #571 - Added
dns.question.subdomainfield. #561, #574 - Added
error.stack_tracefield. #562 - Added
log.origin.file.name,log.origin.functionandlog.origin.file.linefields. #563, #568 - Added
service.node.nameto allow distinction between different nodes of the same service running on the same host. #565 - Added
error.typefield. #566
- Added
asfields for Autonomous System information (i.e. ASN). #341 - Added field formats to all
.bytesfields andevent.duration. #385, #425 - Added
hash.*field set. #426 - Added
dns.*field set, to describe DNS traffic. #438 - Added
event.code,event.sequenceandevent.provider. #439 - Added
file.nameandfile.directory. #441 - Added
file.created, andfile.accessed. #445 - Added
process.uptimeandhost.uptimefields. #477 - Added
domainfield to user. #486 - Added
.nat.ipand.nat.porttosource,destination,clientandserver. #491 - Added
process.thread.namefield. #517 - Added
trace.idandtransaction.idfields for tracing across different services. #519 - Added
log.loggerfield. #521
- Added examples and improved definitions of many
filefields. #441 - Changed the
service.iddescription so it works better for clustered services. #502
- Add generated source code for Go. #249
- Translate the documentation from README.md, to the main website. #266, #334, #400, #430, #437
- New generator that supports reusable fields, for files based on ECS. It generates schema.csv, Elasticsearch 6 and 7 templates, and field documentation for the main website. #336
- Generator for the asciidoc rendering of field definitions. #347
- Generator for the Beats fields.ecs.yml file. #379
- Remove many legacy generated files. #399
- Specify static output format for event.duration. #425
- Format port numbers and numeric IDs as strings. #454
- Add example for
process.pidandprocess.ppid. #464, #470
- Remove the
user.groupkeywordfield, introduced in #204. Instead, thegroupfield set can be nested atuser.group. #308
- Field set name "group" was being used as a leaf field at
user.group, instead of being a nesting of the field set. This goes against a driving principle of ECS, and has been corrected. #308 - Replaced incorrect examples in
cloud.provider. #330, #348 - Changed the
url.porttype tolong. #339
- Added pointer in description of
httpfield set tourlfield set. #330 - Added an optional short field description. #330
- Clarified the definition of the host fields #325
- Clarified the difference between
@timestampandevent.created. #329 - Make phrasing of lowercasing directive more relevant, no matter where it's shown. #332
- Specify the
object_typefor fieldlabels. #331 - Loosen up definition of
geofield set. Not necessarily geo-ip based, sincegeo.name. #333 - Clarified guidelines on ID fields. #349
- Changed
device.*fields toobserver.*fields to eliminate user confusion. #238 - Rename
network.total.bytestonetwork.bytesandnetwork.total.packetstonetwork.packets. #179 - Remove
network.inbound.bytes,network.inbound.packets,network.outbound.bytesandnetwork.outbound.packets. #179 - Changed the
event.typedefinition to be only reserved. #242
- Fix obvious mistake in the definition of "source", where it said "destination" instead of "source". #211
- Add
host.namefield and clarify usage ofhost.hostname. #187 - Add
event.startandevent.enddate fields. #185 - Add
process.thread.idfield. #200 - Add
host.namefield and clarify usage ofhost.hostname. - Add
event.startandevent.enddate fields. - Create new
relatedfield set withrelated.ip. #206 - Add
user.groupfield. #204 - Create new
groupfield set withgroup.idandgroup.name. #203 - Add
url.fullfield. #207 - Add
process.executablefield. #209 - Add
process.working_directoryandprocess.start. #215 - Reintroduce
http. #237- Move
http.response.bodytohttp.response.body.content. #239 - Add
http.request.body.content. #239 - Add HTTP size metric fields. #239
- Move
- Add
user.full_namefield. #201 - Add
network.community_idfield. #208 - Add fields
geo.country_nameandgeo.region_iso_code. #214 - Add
event.kindandevent.outcome. #242 - Add
clientandserverobjects and fields. #236 - Reintroduce a streamlined
user_agentfield set. #240, #262 - Add
geo.namefor ad hoc location names. #248 - Add
event.timezoneto allow for proper interpretation of incomplete timestamps. #258 - Add fields
source.address,destination.address,client.address, andserver.address. #247 - Add
os.fullto capture full OS name, including version. #259 - Add generated source code for Go. #249
- Improved the definition of the file fields #196
- Improved the definition of the agent fields #192
- Improve definition of events, logs, and metrics in event section #194
- Improved the definition of network fields in intro section #197
- Improved the definition of host fields #195
- Improved the definitions for
event.categoryandevent.action. #242 - Clarify the semantics of
network.direction. #212 - Add
source.bytes,source.packets,destination.bytesanddestination.packets. #179 - Add a readme section to declare some top level field sets are reserved for future use. #257
- Clarify that
network.transport,network.type,network.application, andnetwork.protocolmust be lowercase. #251 - Clarify that
http.request.methodmust be lowercase. #251 - Clarify that source/destination should be filled, even if client/server is being used. #265
- Change structure of URL. #7
- Rename
url.hrefmulti_field. #18 - Rename
geoip.*togeo. #58 - Rename log.message to log.original. #106
- Rename
event.rawtoevent.original. #107 - Rename
user_agent.rawtouser_agent.originaland make it a keyword. #107 - Rename
file.path.rawtofile.path.keyword,file.target_path.rawtofile.target_path.keyword,url.href.rawtourl.href.keyword,url.path.rawtourl.path.keyword,url.query.rawtourl.query.keyword, andnetwork.name.rawtonetwork.name.keyword. #103 - Remove
log.offsetandlog.lineas too specific for ECS. #131 - Remove top level objects
kubernetesandtls. #132 - Remove
*.timezone.offset.secfields as too specific for ECS at the moment. #134 - Make the following fields keyword: device.vendor, file.path, file.target_path, http.response.body, network.name, organization.name, url.href, url.path, url.query, user_agent.original
- Rename
url.host.nametourl.hostnameto better align with industry convention. #147 - Make the following fields keyword: device.vendor, file.path, file.target_path, http.response.body, network.name, organization.name, url.href, url.path, url.query, user_agent.original. #137
- Only two fields using
textindexing at this time aremessageanderror.message.
- Only two fields using
- Rename
host.nametohost.hostnameto better align with industry convention. #144 - Update definition of
service.typeandservice.name. - Redefine purpose of
agent.namefield to be user defined field. - Rename
url.hreftourl.original. - Remove
source.subdomainanddestination.subdomainfields. - Rename
event.versiontoecs.version. #169 - Remove the
httpfield set temporarily. #171 - Remove the
user_agentfield set temporarily. #172 - Rename
url.hostnametourl.domain. #175 - Remove
source.hostnameanddestination.hostname. #175
- Add
network.total.packetsandnetwork.total.bytesfield. PR#2 - Add
event.actionfield. #21 - Add
network.name, to track network names in the monitoring pipeline. #25 - Adds cloud.account.id for top level organizational level. #11
- Add
http.response.status_codeandhttp.response.bodyfields. #4 - Add fields for Operating System data. #5
- Add
log.message. #3 - Add http.request.method and http.version
- Add
host.os.kernelcontaining the OS kernel version. #60 - Add
agent.typefield. - Add
http.request.referrerfield. #164 - Add
network.type,network.iana_number,network.transportandnetwork.application. #81 and #170
- Remove duplicate definitions of the reuseable
osfield set fromhost.osanduser_agent.os. #168
Initial draft release