Skip to content

[7.17](backport #31599) packetbeat: move "protocol" term from event.category to event.type in SIP events #31601

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
efd6 merged 1 commit into from
May 12, 2022
Merged

[7.17](backport #31599) packetbeat: move "protocol" term from event.category to event.type in SIP events #31601

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
*Packetbeat*

- Use /proc/<pid>/comm for linux process names where possible. {pull}31527[31527]
- Move "protocol" term from event.category to event.type in SIP events. {pull}31599[31599]

*Winlogbeat*

Expand Down
4 changes: 2 additions & 2 deletions packetbeat/_meta/sample_outputs/sip.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@
"event.action": "sip_register",
"event.category": [
"network",
"protocol",
"authentication"
],
"event.dataset": "sip",
Expand All @@ -17,7 +16,8 @@
"event.original": "REGISTER sip:sip.cybercity.dk SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp112903503-43a64480192.168.1.2;rport\r\nFrom: <sip:voi18062@sip.cybercity.dk>;tag=6bac55c\r\nTo: <sip:voi18062@sip.cybercity.dk>\r\nCall-ID: 578222729-4665d775@578222732-4665d772\r\nContact: <sip:voi18062@192.168.1.2:5060;line=aca6b97ca3f5e51a>;expires=1200;q=0.500\r\nExpires: 1200\r\nCSeq: 75 REGISTER\r\nContent-Length: 0\r\nAuthorization: Digest username=\"voi18062\",realm=\"sip.cybercity.dk\",uri=\"sip:192.168.1.2\",nonce=\"1701b22972b90f440c3e4eb250842bb\",opaque=\"1701a1351f70795\",nc=\"00000001\",response=\"79a0543188495d288c9ebbe0c881abdc\"\r\nMax-Forwards: 70\r\nUser-Agent: Nero SIPPS IP Phone Version 2.0.51.16\r\n\r\n",
"event.sequence": 75,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:dOa61R2NaaJsJlcFAiMIiyXX+Kk=",
Expand Down
4 changes: 2 additions & 2 deletions packetbeat/protos/sip/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,6 @@ SIP is a text-based protocol like HTTP. But SIP has various unique features like
"event.action": "sip_register",
"event.category": [
"network",
"protocol",
"authentication"
],
"event.dataset": "sip",
Expand All @@ -61,7 +60,8 @@ SIP is a text-based protocol like HTTP. But SIP has various unique features like
"event.original": "REGISTER sip:sip.cybercity.dk SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp112903503-43a64480192.168.1.2;rport\r\nFrom: <sip:voi18062@sip.cybercity.dk>;tag=6bac55c\r\nTo: <sip:voi18062@sip.cybercity.dk>\r\nCall-ID: 578222729-4665d775@578222732-4665d772\r\nContact: <sip:voi18062@192.168.1.2:5060;line=aca6b97ca3f5e51a>;expires=1200;q=0.500\r\nExpires: 1200\r\nCSeq: 75 REGISTER\r\nContent-Length: 0\r\nAuthorization: Digest username=\"voi18062\",realm=\"sip.cybercity.dk\",uri=\"sip:192.168.1.2\",nonce=\"1701b22972b90f440c3e4eb250842bb\",opaque=\"1701a1351f70795\",nc=\"00000001\",response=\"79a0543188495d288c9ebbe0c881abdc\"\r\nMax-Forwards: 70\r\nUser-Agent: Nero SIPPS IP Phone Version 2.0.51.16\r\n\r\n",
"event.sequence": 75,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:dOa61R2NaaJsJlcFAiMIiyXX+Kk=",
Expand Down
8 changes: 5 additions & 3 deletions packetbeat/protos/sip/plugin.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ func newParsingInfo(pkt *protos.Packet) *parsingInfo {
}
}

func (p *plugin) buildEvent(m *message, pkt *protos.Packet) (*beat.Event, error) {
func (p *plugin) buildEvent(m *message, _ *protos.Packet) (*beat.Event, error) {
status := common.OK_STATUS
if m.statusCode >= 400 {
status = common.ERROR_STATUS
Expand Down Expand Up @@ -259,6 +259,7 @@ func (p *plugin) populateHeadersFields(m *message, evt beat.Event, pbf *pb.Field
}
}

//nolint:dupl // These are not readily refactorable in the short term as the ProtocolFields is constrained to be flat.
func populateFromFields(m *message, pbf *pb.Fields, fields *ProtocolFields) {
if len(m.from) > 0 {
displayInfo, uri, params := parseFromToContact(m.from)
Expand All @@ -277,6 +278,7 @@ func populateFromFields(m *message, pbf *pb.Fields, fields *ProtocolFields) {
}
}

//nolint:dupl // These are not readily refactorable in the short term as the ProtocolFields is constrained to be flat.
func populateToFields(m *message, pbf *pb.Fields, fields *ProtocolFields) {
if len(m.to) > 0 {
displayInfo, uri, params := parseFromToContact(m.to)
Expand Down Expand Up @@ -318,7 +320,7 @@ func populateContactFields(m *message, pbf *pb.Fields, fields *ProtocolFields) {

func (p *plugin) populateEventFields(m *message, pbf *pb.Fields, fields ProtocolFields) {
pbf.Event.Kind = "event"
pbf.Event.Type = []string{"info"}
pbf.Event.Type = []string{"info", "protocol"}
pbf.Event.Dataset = "sip"
pbf.Event.Sequence = int64(fields.CseqCode)

Expand All @@ -331,7 +333,7 @@ func (p *plugin) populateEventFields(m *message, pbf *pb.Fields, fields Protocol
pbf.Event.Original = string(m.rawData)
}

pbf.Event.Category = []string{"network", "protocol"}
pbf.Event.Category = []string{"network"}
if _, found := m.headers["authorization"]; found {
pbf.Event.Category = append(pbf.Event.Category, "authentication")
}
Expand Down
72 changes: 36 additions & 36 deletions packetbeat/tests/system/golden/sip-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,16 @@
"destination.port": 5060,
"event.action": "sip-invite",
"event.category": [
"network",
"protocol"
"network"
],
"event.dataset": "sip",
"event.duration": 0,
"event.kind": "event",
"event.original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" <sip:sipp@10.0.2.20:5060>;tag=1\r\nTo: test <sip:test@10.0.2.15:5060>\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n",
"event.sequence": 1,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=",
Expand Down Expand Up @@ -96,8 +96,7 @@
"destination.port": 5060,
"event.action": "sip-invite",
"event.category": [
"network",
"protocol"
"network"
],
"event.dataset": "sip",
"event.duration": 0,
Expand All @@ -106,7 +105,8 @@
"event.reason": "Trying",
"event.sequence": 1,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=",
Expand Down Expand Up @@ -166,8 +166,7 @@
"destination.port": 5060,
"event.action": "sip-invite",
"event.category": [
"network",
"protocol"
"network"
],
"event.dataset": "sip",
"event.duration": 0,
Expand All @@ -177,7 +176,8 @@
"event.reason": "OK",
"event.sequence": 1,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=",
Expand Down Expand Up @@ -277,16 +277,16 @@
"destination.port": 5060,
"event.action": "sip-ack",
"event.category": [
"network",
"protocol"
"network"
],
"event.dataset": "sip",
"event.duration": 0,
"event.kind": "event",
"event.original": "ACK sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-5\r\nFrom: \"DVI4/8000\" <sip:sipp@10.0.2.20:5060>;tag=1\r\nTo: test <sip:test@10.0.2.15:5060>;tag=e2jv529vDZ3eQ\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 ACK\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Length: 0\r\n\r\n",
"event.sequence": 1,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=",
Expand Down Expand Up @@ -357,16 +357,16 @@
"destination.port": 5060,
"event.action": "sip-bye",
"event.category": [
"network",
"protocol"
"network"
],
"event.dataset": "sip",
"event.duration": 0,
"event.kind": "event",
"event.original": "BYE sip:sipp@10.0.2.20:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.15;rport;branch=z9hG4bKDQ7XK6BBH57ya\r\nMax-Forwards: 70\r\nFrom: test <sip:test@10.0.2.15:5060>;tag=e2jv529vDZ3eQ\r\nTo: \"DVI4/8000\" <sip:sipp@10.0.2.20:5060>;tag=1\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 99750433 BYE\r\nUser-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit\r\nAllow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE\r\nSupported: timer, path, replaces\r\nReason: Q.850;cause=16;text=\"NORMAL_CLEARING\"\r\nContent-Length: 0\r\n\r\n",
"event.sequence": 99750433,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=",
Expand Down Expand Up @@ -452,8 +452,7 @@
"destination.port": 5060,
"event.action": "sip-bye",
"event.category": [
"network",
"protocol"
"network"
],
"event.dataset": "sip",
"event.duration": 0,
Expand All @@ -463,7 +462,8 @@
"event.reason": "OK",
"event.sequence": 99750433,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=",
Expand Down Expand Up @@ -529,16 +529,16 @@
"destination.port": 5060,
"event.action": "sip-invite",
"event.category": [
"network",
"protocol"
"network"
],
"event.dataset": "sip",
"event.duration": 0,
"event.kind": "event",
"event.original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2189-1-0\r\nFrom: \"DVI4/16000\" <sip:sipp@10.0.2.20:5060>;tag=1\r\nTo: test <sip:test@10.0.2.15:5060>\r\nCall-ID: 1-2189@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 124\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 6\r\na=rtpmap:6 DVI4/16000\r\na=recvonly\r\n",
"event.sequence": 1,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=",
Expand Down Expand Up @@ -617,8 +617,7 @@
"destination.port": 5060,
"event.action": "sip-invite",
"event.category": [
"network",
"protocol"
"network"
],
"event.dataset": "sip",
"event.duration": 0,
Expand All @@ -627,7 +626,8 @@
"event.reason": "Trying",
"event.sequence": 1,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=",
Expand Down Expand Up @@ -687,8 +687,7 @@
"destination.port": 5060,
"event.action": "sip-invite",
"event.category": [
"network",
"protocol"
"network"
],
"event.dataset": "sip",
"event.duration": 0,
Expand All @@ -698,7 +697,8 @@
"event.reason": "OK",
"event.sequence": 1,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=",
Expand Down Expand Up @@ -798,16 +798,16 @@
"destination.port": 5060,
"event.action": "sip-ack",
"event.category": [
"network",
"protocol"
"network"
],
"event.dataset": "sip",
"event.duration": 0,
"event.kind": "event",
"event.original": "ACK sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2189-1-5\r\nFrom: \"DVI4/16000\" <sip:sipp@10.0.2.20:5060>;tag=1\r\nTo: test <sip:test@10.0.2.15:5060>;tag=FBcN7Xt0a8S1j\r\nCall-ID: 1-2189@10.0.2.20\r\nCSeq: 1 ACK\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Length: 0\r\n\r\n",
"event.sequence": 1,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=",
Expand Down Expand Up @@ -878,16 +878,16 @@
"destination.port": 5060,
"event.action": "sip-bye",
"event.category": [
"network",
"protocol"
"network"
],
"event.dataset": "sip",
"event.duration": 0,
"event.kind": "event",
"event.original": "BYE sip:sipp@10.0.2.20:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.15;rport;branch=z9hG4bKe00pN1veeeyHp\r\nMax-Forwards: 70\r\nFrom: test <sip:test@10.0.2.15:5060>;tag=FBcN7Xt0a8S1j\r\nTo: \"DVI4/16000\" <sip:sipp@10.0.2.20:5060>;tag=1\r\nCall-ID: 1-2189@10.0.2.20\r\nCSeq: 99750437 BYE\r\nUser-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit\r\nAllow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE\r\nSupported: timer, path, replaces\r\nReason: Q.850;cause=16;text=\"NORMAL_CLEARING\"\r\nContent-Length: 0\r\n\r\n",
"event.sequence": 99750437,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=",
Expand Down Expand Up @@ -973,8 +973,7 @@
"destination.port": 5060,
"event.action": "sip-bye",
"event.category": [
"network",
"protocol"
"network"
],
"event.dataset": "sip",
"event.duration": 0,
Expand All @@ -984,7 +983,8 @@
"event.reason": "OK",
"event.sequence": 99750437,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=",
Expand Down
16 changes: 8 additions & 8 deletions packetbeat/tests/system/golden/sip_authenticated_register-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
"event.action": "sip-register",
"event.category": [
"network",
"protocol",
"authentication"
],
"event.dataset": "sip",
Expand All @@ -18,7 +17,8 @@
"event.original": "REGISTER sip:sip.cybercity.dk SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp112903503-43a64480192.168.1.2;rport\r\nFrom: <sip:voi18062@sip.cybercity.dk>;tag=6bac55c\r\nTo: <sip:voi18062@sip.cybercity.dk>\r\nCall-ID: 578222729-4665d775@578222732-4665d772\r\nContact: <sip:voi18062@192.168.1.2:5060;line=aca6b97ca3f5e51a>;expires=1200;q=0.500\r\nExpires: 1200\r\nCSeq: 75 REGISTER\r\nContent-Length: 0\r\nAuthorization: Digest username=\"voi18062\",realm=\"sip.cybercity.dk\",uri=\"sip:192.168.1.2\",nonce=\"1701b22972b90f440c3e4eb250842bb\",opaque=\"1701a1351f70795\",nc=\"00000001\",response=\"79a0543188495d288c9ebbe0c881abdc\"\r\nMax-Forwards: 70\r\nUser-Agent: Nero SIPPS IP Phone Version 2.0.51.16\r\n\r\n",
"event.sequence": 75,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:dOa61R2NaaJsJlcFAiMIiyXX+Kk=",
Expand Down Expand Up @@ -85,8 +85,7 @@
"destination.port": 5060,
"event.action": "sip-register",
"event.category": [
"network",
"protocol"
"network"
],
"event.dataset": "sip",
"event.duration": 0,
Expand All @@ -95,7 +94,8 @@
"event.reason": "Trying",
"event.sequence": 75,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:dOa61R2NaaJsJlcFAiMIiyXX+Kk=",
Expand Down Expand Up @@ -148,8 +148,7 @@
"destination.port": 5060,
"event.action": "sip-register",
"event.category": [
"network",
"protocol"
"network"
],
"event.dataset": "sip",
"event.duration": 0,
Expand All @@ -159,7 +158,8 @@
"event.reason": "OK",
"event.sequence": 75,
"event.type": [
"info"
"info",
"protocol"
],
"network.application": "sip",
"network.community_id": "1:dOa61R2NaaJsJlcFAiMIiyXX+Kk=",
Expand Down