elastic · webmat · Nov 22, 2018 · Nov 14, 2018 · Nov 20, 2018 · Nov 20, 2018
diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
@@ -124,6 +124,8 @@ https://github.com/elastic/beats/compare/v6.5.0...v7.0.0-alpha1[View commits]
 - Rename `source_ecs` to `source` in the Filebeat Suricata module. {pull}8983[8983]
 - Remove warnings for deprecated options: "spool_size", "publish_async", "idle_timeout". {pull}9002[9002]
 - Rename many `system.syslog.*` fields to map to ECS. {pull}9135[9135]
+- Rename many `iis.access.*` fields to map to ECS. {pull}9084[9084]
+- IIS module's user agent string is no longer encoded (`+` replaced with spaces). {pull}9084[9084]
 
 *Metricbeat*
 

diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml
@@ -110,3 +110,90 @@
   to: source.domain
   alias: true
   copy_to: false
+
+- from: iis.access.server_ip
+  to: destination.ip
+  alias: true
+  copy_to: false
+
+- from: iis.access.remote_ip
+  to: source.ip
+  alias: true
+  copy_to: false
+
+- from: iis.access.url
+  to: url.path
+  alias: true
+  copy_to: false
+
+- from: iis.access.query_string
+  to: url.query
+  alias: true
+  copy_to: false
+
+- from: iis.access.port
+  to: destination.port
+  alias: true
+  copy_to: false
+
+- from: iis.access.user_name
+  to: user.name
+  alias: true
+  copy_to: false
+
+- from: iis.access.hostname
+  to: destination.domain
+  alias: true
+  copy_to: false
+
+- from: iis.access.user_agent.original
+  to: user_agent.original
+  alias: true
+  copy_to: false
+
+- from: iis.access.geoip.continent_name
+  to: source.geo.continent_name
+  alias: true
+  copy_to: false
+
+- from: iis.access.geoip.country_iso_code
+  to: source.geo.country_iso_code
+  alias: true
+  copy_to: false
+
+- from: iis.access.geoip.location
+  to: source.geo.location
+  alias: true
+  copy_to: false
+
+- from: iis.access.geoip.region_name
+  to: source.geo.region_name
+  alias: true
+  copy_to: false
+
+- from: iis.access.geoip.city_name
+  to: source.geo.city_name
+  alias: true
+  copy_to: false
+
+- from: iis.access.geoip.region_iso_code
+  to: source.geo.region_iso_code
+  alias: true
+  copy_to: false
+
+# Note: `http` is not officially in ECS yet
+
+- from: iis.access.method
+  to: http.request.method
+  alias: true
+  copy_to: false
+
+- from: iis.access.response_code
+  to: http.response.status_code
+  alias: true
+  copy_to: false
+
+- from: iis.access.referrer
+  to: http.request.referrer
+  alias: true
+  copy_to: false
diff --git a/filebeat/_meta/fields.common.yml b/filebeat/_meta/fields.common.yml
@@ -101,6 +101,13 @@
         - name: full_name
           type: keyword
 
+  # Temporary fix until ECS includes the HTTP object again
+    - name: http.request.referrer
+      type: keyword
+      description: >
+        Referrer for this HTTP request.
+      example: https://blog.example.com/
+
   # Temporary fix to get 7.0 dashboards working
     - name: fileset.name
       type: alias