diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f5aad7d831..5cc1b651f7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,5 +15,4 @@ jobs: with: python-version: '3.x' - run: git fetch --prune --unshallow --tags - - run: make setup - run: make check diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 44ff8bc217..2fc9e92104 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -31,6 +31,7 @@ Thanks, you're awesome :-) --> * Removing deprecated --oss from generator #1404 * Removing use-cases directory #1405 +* Remove Go code generator. #1567 #### Bugfixes diff --git a/Makefile b/Makefile index b0f7af8ac8..a7f1833a17 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,6 @@ # .DEFAULT_GOAL := all FIND := find . -type f -not -path './build/*' -not -path './.git/*' -FORCE_GO_MODULES := GO111MODULE=on OPEN_DOCS ?= "--open" PYTHON := build/ve/bin/python VERSION := $(shell cat version) @@ -36,10 +35,6 @@ check-license-headers: clean: rm -rf build generated/elasticsearch/component experimental/generated/elasticsearch/component -# Alias to generate source code for all languages. -.PHONY: codegen -codegen: gocodegen - # Build the asciidoc book. .PHONY: docs docs: @@ -57,12 +52,10 @@ experimental: ve .PHONY: fmt fmt: ve $(FIND) -name '*.py' -exec build/ve/bin/autopep8 --ignore E402 --in-place --max-line-length 120 {} \; - go get golang.org/x/tools/cmd/goimports - goimports -w -l -local github.com/elastic $(shell $(FIND) -name '*.go') # Alias to generate everything. .PHONY: generate -generate: generator codegen +generate: generator $(PYTHON) --version # Run the new generator @@ -70,16 +63,6 @@ generate: generator codegen generator: ve $(PYTHON) scripts/generator.py --strict --include "${INCLUDE}" -# Generate Go code from the schema. -.PHONY: gocodegen -gocodegen: - find code/go/ecs -name '*.go' -not -name 'doc.go' | xargs rm - cd scripts \ - && $(FORCE_GO_MODULES) go run cmd/gocodegen/gocodegen.go \ - -version=$(VERSION) \ - -schema=../schemas \ - -out=../code/go/ecs - # Check Makefile format. .PHONY: makelint makelint: SHELL:=/bin/bash @@ -96,11 +79,6 @@ misspell: .PHONY: reload_docs reload_docs: generator docs -# Download and setup tooling dependencies. -.PHONY: setup -setup: ve - cd scripts && $(FORCE_GO_MODULES) go mod download - # Run the ECS tests .PHONY: test test: ve diff --git a/code/README.md b/code/README.md deleted file mode 100644 index 59d148f9df..0000000000 --- a/code/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# Generated Source Code - -This directory contains source code that is generated from the Elastic Common -Schema (ECS). - -- [Go](go/ecs/) diff --git a/code/go/ecs/README.md b/code/go/ecs/README.md deleted file mode 100644 index 98339a2539..0000000000 --- a/code/go/ecs/README.md +++ /dev/null @@ -1,8 +0,0 @@ -# Go - Generated Source Code - -[![Go Documentation](http://img.shields.io/badge/go-documentation-blue.svg?style=flat-square)][godocs] - -[godocs]: http://godoc.org/github.com/elastic/ecs/code/go/ecs - -This package contains Go source code that is generated from the Elastic Common -Schema (ECS). diff --git a/code/go/ecs/agent.go b/code/go/ecs/agent.go deleted file mode 100644 index 2f0ba669f9..0000000000 --- a/code/go/ecs/agent.go +++ /dev/null @@ -1,58 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The agent fields contain the data about the software entity, if any, that -// collects, detects, or observes events on a host, or takes measurements on a -// host. -// Examples include Beats. Agents may also run on observers. ECS agent.* fields -// shall be populated with details of the agent running on the host or observer -// where the event happened or the measurement was taken. -type Agent struct { - // Version of the agent. - Version string `ecs:"version"` - - // Extended build information for the agent. - // This field is intended to contain any build information that a data - // source may provide, no specific formatting is required. - BuildOriginal string `ecs:"build.original"` - - // Custom name of the agent. - // This is a name that can be given to an agent. This can be helpful if for - // example two Filebeat instances are running on the same host but a human - // readable separation is needed on which Filebeat instance data is coming - // from. - // If no name is given, the name is often left empty. - Name string `ecs:"name"` - - // Type of the agent. - // The agent type always stays the same and should be given by the agent - // used. In case of Filebeat the agent would always be Filebeat also if two - // Filebeat instances are run on the same machine. - Type string `ecs:"type"` - - // Unique identifier of this agent (if one exists). - // Example: For Beats this would be beat.id. - ID string `ecs:"id"` - - // Ephemeral identifier of this agent (if one exists). - // This id normally changes across restarts, but `agent.id` does not. - EphemeralID string `ecs:"ephemeral_id"` -} diff --git a/code/go/ecs/as.go b/code/go/ecs/as.go deleted file mode 100644 index 32451693f6..0000000000 --- a/code/go/ecs/as.go +++ /dev/null @@ -1,33 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// An autonomous system (AS) is a collection of connected Internet Protocol -// (IP) routing prefixes under the control of one or more network operators on -// behalf of a single administrative entity or domain that presents a common, -// clearly defined routing policy to the internet. -type AS struct { - // Unique number allocated to the autonomous system. The autonomous system - // number (ASN) uniquely identifies each network on the Internet. - Number int64 `ecs:"number"` - - // Organization name. - OrganizationName string `ecs:"organization.name"` -} diff --git a/code/go/ecs/base.go b/code/go/ecs/base.go deleted file mode 100644 index 096641294c..0000000000 --- a/code/go/ecs/base.go +++ /dev/null @@ -1,52 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -import ( - "time" -) - -// The `base` field set contains all fields which are at the root of the -// events. These fields are common across all types of events. -type Base struct { - // Date/time when the event originated. - // This is the date/time extracted from the event, typically representing - // when the event was generated by the source. - // If the event source has no original timestamp, this value is typically - // populated by the first time the event was received by the pipeline. - // Required field for all events. - Timestamp time.Time `ecs:"@timestamp"` - - // List of keywords used to tag each event. - Tags string `ecs:"tags"` - - // Custom key/value pairs. - // Can be used to add meta information to events. Should not contain nested - // objects. All values are stored as keyword. - // Example: `docker` and `k8s` labels. - Labels map[string]interface{} `ecs:"labels"` - - // For log events the message field contains the log message, optimized for - // viewing in a log viewer. - // For structured logs without an original message field, other fields can - // be concatenated to form a human-readable summary of the event. - // If multiple messages exist, they can be combined into one message. - Message string `ecs:"message"` -} diff --git a/code/go/ecs/client.go b/code/go/ecs/client.go deleted file mode 100644 index 0942961b91..0000000000 --- a/code/go/ecs/client.go +++ /dev/null @@ -1,103 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// A client is defined as the initiator of a network connection for events -// regarding sessions, connections, or bidirectional flow records. -// For TCP events, the client is the initiator of the TCP connection that sends -// the SYN packet(s). For other protocols, the client is generally the -// initiator or requestor in the network transaction. Some systems use the term -// "originator" to refer the client in TCP connections. The client fields -// describe details about the system acting as the client in the network event. -// Client fields are usually populated in conjunction with server fields. -// Client fields are generally not populated for packet-level events. -// Client / server representations can add semantic context to an exchange, -// which is helpful to visualize the data in certain situations. If your -// context falls in that category, you should still ensure that source and -// destination are filled appropriately. -type Client struct { - // Some event client addresses are defined ambiguously. The event will - // sometimes list an IP, a domain or a unix socket. You should always - // store the raw address in the `.address` field. - // Then it should be duplicated to `.ip` or `.domain`, depending on which - // one it is. - Address string `ecs:"address"` - - // IP address of the client (IPv4 or IPv6). - IP string `ecs:"ip"` - - // Port of the client. - Port int64 `ecs:"port"` - - // MAC address of the client. - // The notation format from RFC 7042 is suggested: Each octet (that is, - // 8-bit byte) is represented by two [uppercase] hexadecimal digits giving - // the value of the octet as an unsigned integer. Successive octets are - // separated by a hyphen. - MAC string `ecs:"mac"` - - // Client domain. - Domain string `ecs:"domain"` - - // The highest registered client domain, stripped of the subdomain. - // For example, the registered domain for "foo.example.com" is - // "example.com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last two labels will not work well for TLDs such as - // "co.uk". - RegisteredDomain string `ecs:"registered_domain"` - - // The effective top level domain (eTLD), also known as the domain suffix, - // is the last part of the domain name. For example, the top level domain - // for example.com is "com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last label will not work well for effective TLDs such - // as "co.uk". - TopLevelDomain string `ecs:"top_level_domain"` - - // The subdomain portion of a fully qualified domain name includes all of - // the names except the host name under the registered_domain. In a - // partially qualified domain, or if the the qualification level of the - // full name cannot be determined, subdomain contains all of the names - // below the registered domain. - // For example the subdomain portion of "www.east.mydomain.co.uk" is - // "east". If the domain has multiple levels of subdomain, such as - // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", - // with no trailing period. - Subdomain string `ecs:"subdomain"` - - // Bytes sent from the client to the server. - Bytes int64 `ecs:"bytes"` - - // Packets sent from the client to the server. - Packets int64 `ecs:"packets"` - - // Translated IP of source based NAT sessions (e.g. internal client to - // internet). - // Typically connections traversing load balancers, firewalls, or routers. - NatIP string `ecs:"nat.ip"` - - // Translated port of source based NAT sessions (e.g. internal client to - // internet). - // Typically connections traversing load balancers, firewalls, or routers. - NatPort int64 `ecs:"nat.port"` -} diff --git a/code/go/ecs/cloud.go b/code/go/ecs/cloud.go deleted file mode 100644 index 66a208b47f..0000000000 --- a/code/go/ecs/cloud.go +++ /dev/null @@ -1,67 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Fields related to the cloud or infrastructure the events are coming from. -type Cloud struct { - // Name of the cloud provider. Example values are aws, azure, gcp, or - // digitalocean. - Provider string `ecs:"provider"` - - // Availability zone in which this host, resource, or service is located. - AvailabilityZone string `ecs:"availability_zone"` - - // Region in which this host, resource, or service is located. - Region string `ecs:"region"` - - // Instance ID of the host machine. - InstanceID string `ecs:"instance.id"` - - // Instance name of the host machine. - InstanceName string `ecs:"instance.name"` - - // Machine type of the host machine. - MachineType string `ecs:"machine.type"` - - // The cloud account or organization id used to identify different entities - // in a multi-tenant environment. - // Examples: AWS account id, Google Cloud ORG Id, or other unique - // identifier. - AccountID string `ecs:"account.id"` - - // The cloud account name or alias used to identify different entities in a - // multi-tenant environment. - // Examples: AWS account name, Google Cloud ORG display name. - AccountName string `ecs:"account.name"` - - // The cloud service name is intended to distinguish services running on - // different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs - // App Engine, Azure VM vs App Server. - // Examples: app engine, app service, cloud run, fargate, lambda. - ServiceName string `ecs:"service.name"` - - // The cloud project identifier. - // Examples: Google Cloud Project id, Azure Project id. - ProjectID string `ecs:"project.id"` - - // The cloud project name. - // Examples: Google Cloud Project name, Azure Project name. - ProjectName string `ecs:"project.name"` -} diff --git a/code/go/ecs/code_signature.go b/code/go/ecs/code_signature.go deleted file mode 100644 index f9b922a24d..0000000000 --- a/code/go/ecs/code_signature.go +++ /dev/null @@ -1,68 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -import ( - "time" -) - -// These fields contain information about binary code signatures. -type CodeSignature struct { - // Boolean to capture if a signature is present. - Exists bool `ecs:"exists"` - - // Subject name of the code signer - SubjectName string `ecs:"subject_name"` - - // Boolean to capture if the digital signature is verified against the - // binary content. - // Leave unpopulated if a certificate was unchecked. - Valid bool `ecs:"valid"` - - // Stores the trust status of the certificate chain. - // Validating the trust of the certificate chain may be complicated, and - // this field should only be populated by tools that actively check the - // status. - Trusted bool `ecs:"trusted"` - - // Additional information about the certificate status. - // This is useful for logging cryptographic errors with the certificate - // validity or trust status. Leave unpopulated if the validity or trust of - // the certificate was unchecked. - Status string `ecs:"status"` - - // The team identifier used to sign the process. - // This is used to identify the team or vendor of a software product. The - // field is relevant to Apple *OS only. - TeamID string `ecs:"team_id"` - - // The identifier used to sign the process. - // This is used to identify the application manufactured by a software - // vendor. The field is relevant to Apple *OS only. - SigningID string `ecs:"signing_id"` - - // The hashing algorithm used to sign the process. - // This value can distinguish signatures when a file is signed multiple - // times by the same signer but with a different digest algorithm. - DigestAlgorithm string `ecs:"digest_algorithm"` - - // Date and time when the code signature was generated and signed. - Timestamp time.Time `ecs:"timestamp"` -} diff --git a/code/go/ecs/container.go b/code/go/ecs/container.go deleted file mode 100644 index 34c5698ba5..0000000000 --- a/code/go/ecs/container.go +++ /dev/null @@ -1,43 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Container fields are used for meta information about the specific container -// that is the source of information. -// These fields help correlate data based containers from any runtime. -type Container struct { - // Runtime managing this container. - Runtime string `ecs:"runtime"` - - // Unique container id. - ID string `ecs:"id"` - - // Name of the image the container was built on. - ImageName string `ecs:"image.name"` - - // Container image tags. - ImageTag string `ecs:"image.tag"` - - // Container name. - Name string `ecs:"name"` - - // Image labels. - Labels map[string]interface{} `ecs:"labels"` -} diff --git a/code/go/ecs/data_stream.go b/code/go/ecs/data_stream.go deleted file mode 100644 index e641fbb514..0000000000 --- a/code/go/ecs/data_stream.go +++ /dev/null @@ -1,67 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The data_stream fields take part in defining the new data stream naming -// scheme. -// In the new data stream naming scheme the value of the data stream fields -// combine to the name of the actual data stream in the following manner: -// `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This -// means the fields can only contain characters that are valid as part of names -// of data streams. More details about this can be found in this -// https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog -// post]. -// An Elasticsearch data stream consists of one or more backing indices, and a -// data stream name forms part of the backing indices names. Due to this -// convention, data streams must also follow index naming restrictions. For -// example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, -// `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch -// reference for additional -// https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions]. -type DataStream struct { - // An overarching type for the data stream. - // Currently allowed values are "logs" and "metrics". We expect to also add - // "traces" and "synthetics" in the near future. - Type string `ecs:"type"` - - // The field can contain anything that makes sense to signify the source of - // the data. - // Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data - // streams that otherwise fit, but that do not have dataset set we use the - // value "generic" for the dataset value. `event.dataset` should have the - // same value as `data_stream.dataset`. - // Beyond the Elasticsearch data stream naming criteria noted above, the - // `dataset` value has additional restrictions: - // * Must not contain `-` - // * No longer than 100 characters - Dataset string `ecs:"dataset"` - - // A user defined namespace. Namespaces are useful to allow grouping of - // data. - // Many users already organize their indices this way, and the data stream - // naming scheme now provides this best practice as a default. Many users - // will populate this field with `default`. If no value is used, it falls - // back to `default`. - // Beyond the Elasticsearch index naming criteria noted above, `namespace` - // value has the additional restrictions: - // * Must not contain `-` - // * No longer than 100 characters - Namespace string `ecs:"namespace"` -} diff --git a/code/go/ecs/destination.go b/code/go/ecs/destination.go deleted file mode 100644 index 0d53a18d4b..0000000000 --- a/code/go/ecs/destination.go +++ /dev/null @@ -1,98 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Destination fields capture details about the receiver of a network -// exchange/packet. These fields are populated from a network event, packet, or -// other event containing details of a network transaction. -// Destination fields are usually populated in conjunction with source fields. -// The source and destination fields are considered the baseline and should -// always be filled if an event contains source and destination details from a -// network transaction. If the event also contains identification of the client -// and server roles, then the client and server fields should also be -// populated. -type Destination struct { - // Some event destination addresses are defined ambiguously. The event will - // sometimes list an IP, a domain or a unix socket. You should always - // store the raw address in the `.address` field. - // Then it should be duplicated to `.ip` or `.domain`, depending on which - // one it is. - Address string `ecs:"address"` - - // IP address of the destination (IPv4 or IPv6). - IP string `ecs:"ip"` - - // Port of the destination. - Port int64 `ecs:"port"` - - // MAC address of the destination. - // The notation format from RFC 7042 is suggested: Each octet (that is, - // 8-bit byte) is represented by two [uppercase] hexadecimal digits giving - // the value of the octet as an unsigned integer. Successive octets are - // separated by a hyphen. - MAC string `ecs:"mac"` - - // Destination domain. - Domain string `ecs:"domain"` - - // The highest registered destination domain, stripped of the subdomain. - // For example, the registered domain for "foo.example.com" is - // "example.com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last two labels will not work well for TLDs such as - // "co.uk". - RegisteredDomain string `ecs:"registered_domain"` - - // The effective top level domain (eTLD), also known as the domain suffix, - // is the last part of the domain name. For example, the top level domain - // for example.com is "com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last label will not work well for effective TLDs such - // as "co.uk". - TopLevelDomain string `ecs:"top_level_domain"` - - // The subdomain portion of a fully qualified domain name includes all of - // the names except the host name under the registered_domain. In a - // partially qualified domain, or if the the qualification level of the - // full name cannot be determined, subdomain contains all of the names - // below the registered domain. - // For example the subdomain portion of "www.east.mydomain.co.uk" is - // "east". If the domain has multiple levels of subdomain, such as - // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", - // with no trailing period. - Subdomain string `ecs:"subdomain"` - - // Bytes sent from the destination to the source. - Bytes int64 `ecs:"bytes"` - - // Packets sent from the destination to the source. - Packets int64 `ecs:"packets"` - - // Translated ip of destination based NAT sessions (e.g. internet to - // private DMZ) - // Typically used with load balancers, firewalls, or routers. - NatIP string `ecs:"nat.ip"` - - // Port the source session is translated to by NAT Device. - // Typically used with load balancers, firewalls, or routers. - NatPort int64 `ecs:"nat.port"` -} diff --git a/code/go/ecs/dll.go b/code/go/ecs/dll.go deleted file mode 100644 index 3671e7096e..0000000000 --- a/code/go/ecs/dll.go +++ /dev/null @@ -1,37 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// These fields contain information about code libraries dynamically loaded -// into processes. -// -// Many operating systems refer to "shared code libraries" with different -// names, but this field set refers to all of the following: -// * Dynamic-link library (`.dll`) commonly used on Windows -// * Shared Object (`.so`) commonly used on Unix-like operating systems -// * Dynamic library (`.dylib`) commonly used on macOS -type Dll struct { - // Name of the library. - // This generally maps to the name of the file on disk. - Name string `ecs:"name"` - - // Full file path of the library. - Path string `ecs:"path"` -} diff --git a/code/go/ecs/dns.go b/code/go/ecs/dns.go deleted file mode 100644 index 5761da1b39..0000000000 --- a/code/go/ecs/dns.go +++ /dev/null @@ -1,130 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Fields describing DNS queries and answers. -// DNS events should either represent a single DNS query prior to getting -// answers (`dns.type:query`) or they should represent a full exchange and -// contain the query details as well as all of the answers that were provided -// for this query (`dns.type:answer`). -type Dns struct { - // The type of DNS event captured, query or answer. - // If your source of DNS events only gives you DNS queries, you should only - // create dns events of type `dns.type:query`. - // If your source of DNS events gives you answers as well, you should - // create one event per query (optionally as soon as the query is seen). - // And a second event containing all query details as well as an array of - // answers. - Type string `ecs:"type"` - - // The DNS packet identifier assigned by the program that generated the - // query. The identifier is copied to the response. - ID string `ecs:"id"` - - // The DNS operation code that specifies the kind of query in the message. - // This value is set by the originator of a query and copied into the - // response. - OpCode string `ecs:"op_code"` - - // Array of 2 letter DNS header flags. - // Expected values are: AA, TC, RD, RA, AD, CD, DO. - HeaderFlags string `ecs:"header_flags"` - - // The DNS response code. - ResponseCode string `ecs:"response_code"` - - // The name being queried. - // If the name field contains non-printable characters (below 32 or above - // 126), those characters should be represented as escaped base 10 integers - // (\DDD). Back slashes and quotes should be escaped. Tabs, carriage - // returns, and line feeds should be converted to \t, \r, and \n - // respectively. - QuestionName string `ecs:"question.name"` - - // The type of record being queried. - QuestionType string `ecs:"question.type"` - - // The class of records being queried. - QuestionClass string `ecs:"question.class"` - - // The highest registered domain, stripped of the subdomain. - // For example, the registered domain for "foo.example.com" is - // "example.com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last two labels will not work well for TLDs such as - // "co.uk". - QuestionRegisteredDomain string `ecs:"question.registered_domain"` - - // The effective top level domain (eTLD), also known as the domain suffix, - // is the last part of the domain name. For example, the top level domain - // for example.com is "com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last label will not work well for effective TLDs such - // as "co.uk". - QuestionTopLevelDomain string `ecs:"question.top_level_domain"` - - // The subdomain is all of the labels under the registered_domain. - // If the domain has multiple levels of subdomain, such as - // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", - // with no trailing period. - QuestionSubdomain string `ecs:"question.subdomain"` - - // An array containing an object for each answer section returned by the - // server. - // The main keys that should be present in these objects are defined by - // ECS. Records that have more information may contain more keys than what - // ECS defines. - // Not all DNS data sources give all details about DNS answers. At minimum, - // answer objects must contain the `data` key. If more information is - // available, map as much of it to ECS as possible, and add any additional - // fields to the answer objects as custom fields. - Answers map[string]interface{} `ecs:"answers"` - - // The domain name to which this resource record pertains. - // If a chain of CNAME is being resolved, each answer's `name` should be - // the one that corresponds with the answer's `data`. It should not simply - // be the original `question.name` repeated. - AnswersName string `ecs:"answers.name"` - - // The type of data contained in this resource record. - AnswersType string `ecs:"answers.type"` - - // The class of DNS data contained in this resource record. - AnswersClass string `ecs:"answers.class"` - - // The time interval in seconds that this resource record may be cached - // before it should be discarded. Zero values mean that the data should not - // be cached. - AnswersTtl int64 `ecs:"answers.ttl"` - - // The data describing the resource. - // The meaning of this data depends on the type and class of the resource - // record. - AnswersData string `ecs:"answers.data"` - - // Array containing all IPs seen in `answers.data`. - // The `answers` array can be difficult to use, because of the variety of - // data formats it can contain. Extracting all IP addresses seen in there - // to `dns.resolved_ip` makes it possible to index them as IP addresses, - // and makes them easier to visualize and query for. - ResolvedIP string `ecs:"resolved_ip"` -} diff --git a/code/go/ecs/doc.go b/code/go/ecs/doc.go deleted file mode 100644 index 48c8e74d8c..0000000000 --- a/code/go/ecs/doc.go +++ /dev/null @@ -1,22 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Package ecs contains source code that is generated from the Elastic Common -// Schema (ECS). -// -// https://github.com/elastic/ecs#elastic-common-schema-ecs -package ecs diff --git a/code/go/ecs/ecs.go b/code/go/ecs/ecs.go deleted file mode 100644 index 413878ef0c..0000000000 --- a/code/go/ecs/ecs.go +++ /dev/null @@ -1,30 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Meta-information specific to ECS. -type ECS struct { - // ECS version this event conforms to. `ecs.version` is a required field - // and must exist in all events. - // When querying across multiple indices -- which may conform to slightly - // different ECS versions -- this field lets integrations adjust to the - // schema version of the events. - Version string `ecs:"version"` -} diff --git a/code/go/ecs/elf.go b/code/go/ecs/elf.go deleted file mode 100644 index ee17c2870f..0000000000 --- a/code/go/ecs/elf.go +++ /dev/null @@ -1,123 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -import ( - "time" -) - -// These fields contain Linux Executable Linkable Format (ELF) metadata. -type Elf struct { - // Extracted when possible from the file's metadata. Indicates when it was - // built or compiled. It can also be faked by malware creators. - CreationDate time.Time `ecs:"creation_date"` - - // Machine architecture of the ELF file. - Architecture string `ecs:"architecture"` - - // Byte sequence of ELF file. - ByteOrder string `ecs:"byte_order"` - - // CPU type of the ELF file. - CpuType string `ecs:"cpu_type"` - - // Header class of the ELF file. - HeaderClass string `ecs:"header.class"` - - // Data table of the ELF header. - HeaderData string `ecs:"header.data"` - - // Application Binary Interface (ABI) of the Linux OS. - HeaderOsAbi string `ecs:"header.os_abi"` - - // Header type of the ELF file. - HeaderType string `ecs:"header.type"` - - // Version of the ELF header. - HeaderVersion string `ecs:"header.version"` - - // Version of the ELF Application Binary Interface (ABI). - HeaderAbiVersion string `ecs:"header.abi_version"` - - // Header entrypoint of the ELF file. - HeaderEntrypoint int64 `ecs:"header.entrypoint"` - - // "0x1" for original ELF files. - HeaderObjectVersion string `ecs:"header.object_version"` - - // An array containing an object for each section of the ELF file. - // The keys that should be present in these objects are defined by - // sub-fields underneath `elf.sections.*`. - Sections []Sections `ecs:"sections"` - - // List of exported element names and types. - Exports map[string]interface{} `ecs:"exports"` - - // List of imported element names and types. - Imports map[string]interface{} `ecs:"imports"` - - // List of shared libraries used by this ELF object. - SharedLibraries string `ecs:"shared_libraries"` - - // telfhash symbol hash for ELF file. - Telfhash string `ecs:"telfhash"` - - // An array containing an object for each segment of the ELF file. - // The keys that should be present in these objects are defined by - // sub-fields underneath `elf.segments.*`. - Segments []Segments `ecs:"segments"` -} - -type Sections struct { - // ELF Section List flags. - Flags string `ecs:"flags"` - - // ELF Section List name. - Name string `ecs:"name"` - - // ELF Section List offset. - PhysicalOffset string `ecs:"physical_offset"` - - // ELF Section List type. - Type string `ecs:"type"` - - // ELF Section List physical size. - PhysicalSize int64 `ecs:"physical_size"` - - // ELF Section List virtual address. - VirtualAddress int64 `ecs:"virtual_address"` - - // ELF Section List virtual size. - VirtualSize int64 `ecs:"virtual_size"` - - // Shannon entropy calculation from the section. - Entropy int64 `ecs:"entropy"` - - // Chi-square probability distribution of the section. - Chi2 int64 `ecs:"chi2"` -} - -type Segments struct { - // ELF object segment type. - Type string `ecs:"type"` - - // ELF object segment sections. - Sections string `ecs:"sections"` -} diff --git a/code/go/ecs/error.go b/code/go/ecs/error.go deleted file mode 100644 index 0fea2b4584..0000000000 --- a/code/go/ecs/error.go +++ /dev/null @@ -1,40 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// These fields can represent errors of any kind. -// Use them for errors that happen while fetching events or in cases where the -// event itself contains an error. -type Error struct { - // Unique identifier for the error. - ID string `ecs:"id"` - - // Error message. - Message string `ecs:"message"` - - // Error code describing the error. - Code string `ecs:"code"` - - // The type of the error, for example the class name of the exception. - Type string `ecs:"type"` - - // The stack trace of this error in plain text. - StackTrace string `ecs:"stack_trace"` -} diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go deleted file mode 100644 index c55bc0d364..0000000000 --- a/code/go/ecs/event.go +++ /dev/null @@ -1,243 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -import ( - "time" -) - -// The event fields are used for context information about the log or metric -// event itself. -// A log is defined as an event containing details of something that happened. -// Log events must include the time at which the thing happened. Examples of -// log events include a process starting on a host, a network packet being sent -// from a source to a destination, or a network connection between a client and -// a server being initiated or closed. A metric is defined as an event -// containing one or more numerical measurements and the time at which the -// measurement was taken. Examples of metric events include memory pressure -// measured on a host and device temperature. See the `event.kind` definition -// in this section for additional details about metric and state events. -type Event struct { - // Unique ID to describe the event. - ID string `ecs:"id"` - - // Identification code for this event, if one exists. - // Some event sources use event codes to identify messages unambiguously, - // regardless of message language or wording adjustments over time. An - // example of this is the Windows Event ID. - Code string `ecs:"code"` - - // This is one of four ECS Categorization Fields, and indicates the highest - // level in the ECS category hierarchy. - // `event.kind` gives high-level information about what type of information - // the event contains, without being specific to the contents of the event. - // For example, values of this field distinguish alert events from metric - // events. - // The value of this field can be used to inform how these kinds of events - // should be handled. They may warrant different retention, different - // access control, it may also help understand whether the data coming in - // at a regular interval or not. - Kind string `ecs:"kind"` - - // This is one of four ECS Categorization Fields, and indicates the second - // level in the ECS category hierarchy. - // `event.category` represents the "big buckets" of ECS categories. For - // example, filtering on `event.category:process` yields all events - // relating to process activity. This field is closely related to - // `event.type`, which is used as a subcategory. - // This field is an array. This will allow proper categorization of some - // events that fall in multiple categories. - Category string `ecs:"category"` - - // The action captured by the event. - // This describes the information in the event. It is more specific than - // `event.category`. Examples are `group-add`, `process-started`, - // `file-created`. The value is normally defined by the implementer. - Action string `ecs:"action"` - - // This is one of four ECS Categorization Fields, and indicates the lowest - // level in the ECS category hierarchy. - // `event.outcome` simply denotes whether the event represents a success or - // a failure from the perspective of the entity that produced the event. - // Note that when a single transaction is described in multiple events, - // each event may populate different values of `event.outcome`, according - // to their perspective. - // Also note that in the case of a compound event (a single event that - // contains multiple logical events), this field should be populated with - // the value that best captures the overall success or failure from the - // perspective of the event producer. - // Further note that not all events will have an associated outcome. For - // example, this field is generally not populated for metric events, events - // with `event.type:info`, or any events for which an outcome does not make - // logical sense. - Outcome string `ecs:"outcome"` - - // This is one of four ECS Categorization Fields, and indicates the third - // level in the ECS category hierarchy. - // `event.type` represents a categorization "sub-bucket" that, when used - // along with the `event.category` field values, enables filtering events - // down to a level appropriate for single visualization. - // This field is an array. This will allow proper categorization of some - // events that fall in multiple event types. - Type string `ecs:"type"` - - // Name of the module this data is coming from. - // If your monitoring agent supports the concept of modules or plugins to - // process events of a given source (e.g. Apache logs), `event.module` - // should contain the name of this module. - Module string `ecs:"module"` - - // Name of the dataset. - // If an event source publishes more than one type of log or events (e.g. - // access log, error log), the dataset is used to specify which one the - // event comes from. - // It's recommended but not required to start the dataset name with the - // module name, followed by a dot, then the dataset name. - Dataset string `ecs:"dataset"` - - // Source of the event. - // Event transports such as Syslog or the Windows Event Log typically - // mention the source of an event. It can be the name of the software that - // generated the event (e.g. Sysmon, httpd), or of a subsystem of the - // operating system (kernel, Microsoft-Windows-Security-Auditing). - Provider string `ecs:"provider"` - - // The numeric severity of the event according to your event source. - // What the different severity values mean can be different between sources - // and use cases. It's up to the implementer to make sure severities are - // consistent across events from the same source. - // The Syslog severity belongs in `log.syslog.severity.code`. - // `event.severity` is meant to represent the severity according to the - // event source (e.g. firewall, IDS). If the event source does not publish - // its own severity, you may optionally copy the `log.syslog.severity.code` - // to `event.severity`. - Severity int64 `ecs:"severity"` - - // Raw text message of entire event. Used to demonstrate log integrity or - // where the full log message (before splitting it up in multiple parts) - // may be required, e.g. for reindex. - // This field is not indexed and doc_values are disabled. It cannot be - // searched, but it can be retrieved from `_source`. If users wish to - // override this and index this field, please see `Field data types` in the - // `Elasticsearch Reference`. - Original string `ecs:"original"` - - // Hash (perhaps logstash fingerprint) of raw field to be able to - // demonstrate log integrity. - Hash string `ecs:"hash"` - - // Duration of the event in nanoseconds. - // If event.start and event.end are known this value should be the - // difference between the end and start time. - Duration time.Duration `ecs:"duration"` - - // Sequence number of the event. - // The sequence number is a value published by some event sources, to make - // the exact ordering of events unambiguous, regardless of the timestamp - // precision. - Sequence int64 `ecs:"sequence"` - - // This field should be populated when the event's timestamp does not - // include timezone information already (e.g. default Syslog timestamps). - // It's optional otherwise. - // Acceptable timezone formats are: a canonical ID (e.g. - // "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential - // (e.g. "-05:00"). - Timezone string `ecs:"timezone"` - - // event.created contains the date/time when the event was first read by an - // agent, or by your pipeline. - // This field is distinct from @timestamp in that @timestamp typically - // contain the time extracted from the original event. - // In most situations, these two timestamps will be slightly different. The - // difference can be used to calculate the delay between your source - // generating an event, and the time when your agent first processed it. - // This can be used to monitor your agent's or pipeline's ability to keep - // up with your event source. - // In case the two timestamps are identical, @timestamp should be used. - Created time.Time `ecs:"created"` - - // event.start contains the date when the event started or when the - // activity was first observed. - Start time.Time `ecs:"start"` - - // event.end contains the date when the event ended or when the activity - // was last observed. - End time.Time `ecs:"end"` - - // Risk score or priority of the event (e.g. security solutions). Use your - // system's original value here. - RiskScore float64 `ecs:"risk_score"` - - // Normalized risk score or priority of the event, on a scale of 0 to 100. - // This is mainly useful if you use more than one system that assigns risk - // scores, and you want to see a normalized value across all systems. - RiskScoreNorm float64 `ecs:"risk_score_norm"` - - // Timestamp when an event arrived in the central data store. - // This is different from `@timestamp`, which is when the event originally - // occurred. It's also different from `event.created`, which is meant to - // capture the first time an agent saw the event. - // In normal conditions, assuming no tampering, the timestamps should - // chronologically look like this: `@timestamp` < `event.created` < - // `event.ingested`. - Ingested time.Time `ecs:"ingested"` - - // Reference URL linking to additional information about this event. - // This URL links to a static definition of this event. Alert events, - // indicated by `event.kind:alert`, are a common use case for this field. - Reference string `ecs:"reference"` - - // URL linking to an external system to continue investigation of this - // event. - // This URL links to another system where in-depth investigation of the - // specific occurrence of this event can take place. Alert events, - // indicated by `event.kind:alert`, are a common use case for this field. - Url string `ecs:"url"` - - // Reason why this event happened, according to the source. - // This describes the why of a particular action or outcome captured in the - // event. Where `event.action` captures the action from the event, - // `event.reason` describes why that action was taken. For example, a web - // proxy with an `event.action` which denied the request may also populate - // `event.reason` with the reason why (e.g. `blocked site`). - Reason string `ecs:"reason"` - - // Agents are normally responsible for populating the `agent.id` field - // value. If the system receiving events is capable of validating the value - // based on authentication information for the client then this field can - // be used to reflect the outcome of that validation. - // For example if the agent's connection is authenticated with mTLS and the - // client cert contains the ID of the agent to which the cert was issued - // then the `agent.id` value in events can be checked against the - // certificate. If the values match then `event.agent_id_status: verified` - // is added to the event, otherwise one of the other allowed values should - // be used. - // If no validation is performed then the field should be omitted. - // The allowed values are: - // `verified` - The `agent.id` field value matches expected value obtained - // from auth metadata. - // `mismatch` - The `agent.id` field value does not match the expected - // value obtained from auth metadata. - // `missing` - There was no `agent.id` field in the event to validate. - // `auth_metadata_missing` - There was no auth metadata or it was missing - // information about the agent ID. - AgentIDStatus string `ecs:"agent_id_status"` -} diff --git a/code/go/ecs/file.go b/code/go/ecs/file.go deleted file mode 100644 index 3159585582..0000000000 --- a/code/go/ecs/file.go +++ /dev/null @@ -1,128 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -import ( - "time" -) - -// A file is defined as a set of information that has been created on, or has -// existed on a filesystem. -// File objects can be associated with host events, network events, and/or file -// events (e.g., those produced by File Integrity Monitoring [FIM] products or -// services). File fields provide details about the affected file associated -// with the event or metric. -type File struct { - // Name of the file including the extension, without the directory. - Name string `ecs:"name"` - - // Array of file attributes. - // Attributes names will vary by platform. Here's a non-exhaustive list of - // values that are expected in this field: archive, compressed, directory, - // encrypted, execute, hidden, read, readonly, system, write. - Attributes string `ecs:"attributes"` - - // Directory where the file is located. It should include the drive letter, - // when appropriate. - Directory string `ecs:"directory"` - - // Drive letter where the file is located. This field is only relevant on - // Windows. - // The value should be uppercase, and not include the colon. - DriveLetter string `ecs:"drive_letter"` - - // Full path to the file, including the file name. It should include the - // drive letter, when appropriate. - Path string `ecs:"path"` - - // Target path for symlinks. - TargetPath string `ecs:"target_path"` - - // File extension, excluding the leading dot. - // Note that when the file name has multiple extensions (example.tar.gz), - // only the last one should be captured ("gz", not "tar.gz"). - Extension string `ecs:"extension"` - - // File type (file, dir, or symlink). - Type string `ecs:"type"` - - // Device that is the source of the file. - Device string `ecs:"device"` - - // Inode representing the file in the filesystem. - Inode string `ecs:"inode"` - - // The user ID (UID) or security identifier (SID) of the file owner. - UID string `ecs:"uid"` - - // File owner's username. - Owner string `ecs:"owner"` - - // Primary group ID (GID) of the file. - Gid string `ecs:"gid"` - - // Primary group name of the file. - Group string `ecs:"group"` - - // Mode of the file in octal representation. - Mode string `ecs:"mode"` - - // File size in bytes. - // Only relevant when `file.type` is "file". - Size int64 `ecs:"size"` - - // Last time the file content was modified. - Mtime time.Time `ecs:"mtime"` - - // Last time the file attributes or metadata changed. - // Note that changes to the file content will update `mtime`. This implies - // `ctime` will be adjusted at the same time, since `mtime` is an attribute - // of the file. - Ctime time.Time `ecs:"ctime"` - - // File creation time. - // Note that not all filesystems store the creation time. - Created time.Time `ecs:"created"` - - // Last time the file was accessed. - // Note that not all filesystems keep track of access time. - Accessed time.Time `ecs:"accessed"` - - // MIME type should identify the format of the file or stream of bytes - // using - // https://www.iana.org/assignments/media-types/media-types.xhtml[IANA - // official types], where possible. When more than one type is applicable, - // the most specific type should be used. - MimeType string `ecs:"mime_type"` - - // A fork is additional data associated with a filesystem object. - // On Linux, a resource fork is used to store additional data with a - // filesystem object. A file always has at least one fork for the data - // portion, and additional forks may exist. - // On NTFS, this is analogous to an Alternate Data Stream (ADS), and the - // default data stream for a file is just called $DATA. Zone.Identifier is - // commonly used by Windows to track contents downloaded from the Internet. - // An ADS is typically of the form: - // `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is - // the value that should populate `fork_name`. `filename.extension` should - // populate `file.name`, and `extension` should populate `file.extension`. - // The full path, `file.path`, will include the fork name. - ForkName string `ecs:"fork_name"` -} diff --git a/code/go/ecs/geo.go b/code/go/ecs/geo.go deleted file mode 100644 index 4033ac1d57..0000000000 --- a/code/go/ecs/geo.go +++ /dev/null @@ -1,64 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Geo fields can carry data about a specific location related to an event. -// This geolocation information can be derived from techniques such as Geo IP, -// or be user-supplied. -type Geo struct { - // Longitude and latitude. - Location string `ecs:"location"` - - // Two-letter code representing continent's name. - ContinentCode string `ecs:"continent_code"` - - // Name of the continent. - ContinentName string `ecs:"continent_name"` - - // Country name. - CountryName string `ecs:"country_name"` - - // Region name. - RegionName string `ecs:"region_name"` - - // City name. - CityName string `ecs:"city_name"` - - // Country ISO code. - CountryIsoCode string `ecs:"country_iso_code"` - - // Postal code associated with the location. - // Values appropriate for this field may also be known as a postcode or ZIP - // code and will vary widely from country to country. - PostalCode string `ecs:"postal_code"` - - // Region ISO code. - RegionIsoCode string `ecs:"region_iso_code"` - - // The time zone of the location, such as IANA time zone name. - Timezone string `ecs:"timezone"` - - // User-defined description of a location, at the level of granularity they - // care about. - // Could be the name of their data centers, the floor number, if this - // describes a local physical entity, city names. - // Not typically used in automated geolocation. - Name string `ecs:"name"` -} diff --git a/code/go/ecs/group.go b/code/go/ecs/group.go deleted file mode 100644 index ebcd78e148..0000000000 --- a/code/go/ecs/group.go +++ /dev/null @@ -1,34 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The group fields are meant to represent groups that are relevant to the -// event. -type Group struct { - // Unique identifier for the group on the system/platform. - ID string `ecs:"id"` - - // Name of the group. - Name string `ecs:"name"` - - // Name of the directory the group is a member of. - // For example, an LDAP or Active Directory domain name. - Domain string `ecs:"domain"` -} diff --git a/code/go/ecs/hash.go b/code/go/ecs/hash.go deleted file mode 100644 index aa9354c759..0000000000 --- a/code/go/ecs/hash.go +++ /dev/null @@ -1,45 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The hash fields represent different bitwise hash algorithms and their -// values. -// Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields -// for other hashes by lowercasing the hash algorithm name and using underscore -// separators as appropriate (snake case, e.g. sha3_512). -// Note that this fieldset is used for common hashes that may be computed over -// a range of generic bytes. Entity-specific hashes such as ja3 or imphash are -// placed in the fieldsets to which they relate (tls and pe, respectively). -type Hash struct { - // MD5 hash. - Md5 string `ecs:"md5"` - - // SHA1 hash. - Sha1 string `ecs:"sha1"` - - // SHA256 hash. - Sha256 string `ecs:"sha256"` - - // SHA512 hash. - Sha512 string `ecs:"sha512"` - - // SSDEEP hash. - Ssdeep string `ecs:"ssdeep"` -} diff --git a/code/go/ecs/host.go b/code/go/ecs/host.go deleted file mode 100644 index 4953427208..0000000000 --- a/code/go/ecs/host.go +++ /dev/null @@ -1,102 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// A host is defined as a general computing instance. -// ECS host.* fields should be populated with details about the host on which -// the event happened, or from which the measurement was taken. Host types -// include hardware, virtual machines, Docker containers, and Kubernetes nodes. -type Host struct { - // Hostname of the host. - // It normally contains what the `hostname` command returns on the host - // machine. - Hostname string `ecs:"hostname"` - - // Name of the host. - // It can contain what `hostname` returns on Unix systems, the fully - // qualified domain name, or a name specified by the user. The sender - // decides which value to use. - Name string `ecs:"name"` - - // Unique host id. - // As hostname is not always unique, use values that are meaningful in your - // environment. - // Example: The current usage of `beat.name`. - ID string `ecs:"id"` - - // Host ip addresses. - IP string `ecs:"ip"` - - // Host MAC addresses. - // The notation format from RFC 7042 is suggested: Each octet (that is, - // 8-bit byte) is represented by two [uppercase] hexadecimal digits giving - // the value of the octet as an unsigned integer. Successive octets are - // separated by a hyphen. - MAC string `ecs:"mac"` - - // Type of host. - // For Cloud providers this can be the machine type like `t2.medium`. If - // vm, this could be the container, for example, or other information - // meaningful in your environment. - Type string `ecs:"type"` - - // Seconds the host has been up. - Uptime int64 `ecs:"uptime"` - - // Operating system architecture. - Architecture string `ecs:"architecture"` - - // Name of the domain of which the host is a member. - // For example, on Windows this could be the host's Active Directory domain - // or NetBIOS domain name. For Linux this could be the domain of the host's - // LDAP provider. - Domain string `ecs:"domain"` - - // Percent CPU used which is normalized by the number of CPU cores and it - // ranges from 0 to 1. - // Scaling factor: 1000. - // For example: For a two core host, this value should be the average of - // the two cores, between 0 and 1. - CpuUsage float64 `ecs:"cpu.usage"` - - // The total number of bytes (gauge) read successfully (aggregated from all - // disks) since the last metric collection. - DiskReadBytes int64 `ecs:"disk.read.bytes"` - - // The total number of bytes (gauge) written successfully (aggregated from - // all disks) since the last metric collection. - DiskWriteBytes int64 `ecs:"disk.write.bytes"` - - // The number of bytes received (gauge) on all network interfaces by the - // host since the last metric collection. - NetworkIngressBytes int64 `ecs:"network.ingress.bytes"` - - // The number of packets (gauge) received on all network interfaces by the - // host since the last metric collection. - NetworkIngressPackets int64 `ecs:"network.ingress.packets"` - - // The number of bytes (gauge) sent out on all network interfaces by the - // host since the last metric collection. - NetworkEgressBytes int64 `ecs:"network.egress.bytes"` - - // The number of packets (gauge) sent out on all network interfaces by the - // host since the last metric collection. - NetworkEgressPackets int64 `ecs:"network.egress.packets"` -} diff --git a/code/go/ecs/http.go b/code/go/ecs/http.go deleted file mode 100644 index a6082f0660..0000000000 --- a/code/go/ecs/http.go +++ /dev/null @@ -1,76 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Fields related to HTTP activity. Use the `url` field set to store the url of -// the request. -type Http struct { - // A unique identifier for each HTTP request to correlate logs between - // clients and servers in transactions. - // The id may be contained in a non-standard HTTP header, such as - // `X-Request-ID` or `X-Correlation-ID`. - RequestID string `ecs:"request.id"` - - // HTTP request method. - // The value should retain its casing from the original event. For example, - // `GET`, `get`, and `GeT` are all considered valid values for this field. - RequestMethod string `ecs:"request.method"` - - // Mime type of the body of the request. - // This value must only be populated based on the content of the request - // body, not on the `Content-Type` header. Comparing the mime type of a - // request with the request's Content-Type header can be helpful in - // detecting threats or misconfigured clients. - RequestMimeType string `ecs:"request.mime_type"` - - // The full HTTP request body. - RequestBodyContent string `ecs:"request.body.content"` - - // Referrer for this HTTP request. - RequestReferrer string `ecs:"request.referrer"` - - // HTTP response status code. - ResponseStatusCode int64 `ecs:"response.status_code"` - - // Mime type of the body of the response. - // This value must only be populated based on the content of the response - // body, not on the `Content-Type` header. Comparing the mime type of a - // response with the response's Content-Type header can be helpful in - // detecting misconfigured servers. - ResponseMimeType string `ecs:"response.mime_type"` - - // The full HTTP response body. - ResponseBodyContent string `ecs:"response.body.content"` - - // HTTP version. - Version string `ecs:"version"` - - // Total size in bytes of the request (body and headers). - RequestBytes int64 `ecs:"request.bytes"` - - // Size in bytes of the request body. - RequestBodyBytes int64 `ecs:"request.body.bytes"` - - // Total size in bytes of the response (body and headers). - ResponseBytes int64 `ecs:"response.bytes"` - - // Size in bytes of the response body. - ResponseBodyBytes int64 `ecs:"response.body.bytes"` -} diff --git a/code/go/ecs/interface.go b/code/go/ecs/interface.go deleted file mode 100644 index 56b2e65e53..0000000000 --- a/code/go/ecs/interface.go +++ /dev/null @@ -1,38 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The interface fields are used to record ingress and egress interface -// information when reported by an observer (e.g. firewall, router, load -// balancer) in the context of the observer handling a network connection. In -// the case of a single observer interface (e.g. network sensor on a span port) -// only the observer.ingress information should be populated. -type Interface struct { - // Interface ID as reported by an observer (typically SNMP interface ID). - ID string `ecs:"id"` - - // Interface name as reported by the system. - Name string `ecs:"name"` - - // Interface alias as reported by the system, typically used in firewall - // implementations for e.g. inside, outside, or dmz logical interface - // naming. - Alias string `ecs:"alias"` -} diff --git a/code/go/ecs/log.go b/code/go/ecs/log.go deleted file mode 100644 index c993626ade..0000000000 --- a/code/go/ecs/log.go +++ /dev/null @@ -1,91 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Details about the event's logging mechanism or logging transport. -// The log.* fields are typically populated with details about the logging -// mechanism used to create and/or transport the event. For example, syslog -// details belong under `log.syslog.*`. -// The details specific to your event source are typically not logged under -// `log.*`, but rather in `event.*` or in other ECS fields. -type Log struct { - // Original log level of the log event. - // If the source of the event provides a log level or textual severity, - // this is the one that goes in `log.level`. If your source doesn't specify - // one, you may put your event transport's severity here (e.g. Syslog - // severity). - // Some examples are `warn`, `err`, `i`, `informational`. - Level string `ecs:"level"` - - // Full path to the log file this event came from, including the file name. - // It should include the drive letter, when appropriate. - // If the event wasn't read from a log file, do not populate this field. - FilePath string `ecs:"file.path"` - - // The name of the logger inside an application. This is usually the name - // of the class which initialized the logger, or can be a custom name. - Logger string `ecs:"logger"` - - // The name of the file containing the source code which originated the log - // event. - // Note that this field is not meant to capture the log file. The correct - // field to capture the log file is `log.file.path`. - OriginFileName string `ecs:"origin.file.name"` - - // The line number of the file containing the source code which originated - // the log event. - OriginFileLine int64 `ecs:"origin.file.line"` - - // The name of the function or method which originated the log event. - OriginFunction string `ecs:"origin.function"` - - // The Syslog metadata of the event, if the event was transmitted via - // Syslog. Please see RFCs 5424 or 3164. - Syslog map[string]interface{} `ecs:"syslog"` - - // The Syslog numeric severity of the log event, if available. - // If the event source publishing via Syslog provides a different numeric - // severity value (e.g. firewall, IDS), your source's numeric severity - // should go to `event.severity`. If the event source does not specify a - // distinct severity, you can optionally copy the Syslog severity to - // `event.severity`. - SyslogSeverityCode int64 `ecs:"syslog.severity.code"` - - // The Syslog numeric severity of the log event, if available. - // If the event source publishing via Syslog provides a different severity - // value (e.g. firewall, IDS), your source's text severity should go to - // `log.level`. If the event source does not specify a distinct severity, - // you can optionally copy the Syslog severity to `log.level`. - SyslogSeverityName string `ecs:"syslog.severity.name"` - - // The Syslog numeric facility of the log event, if available. - // According to RFCs 5424 and 3164, this value should be an integer between - // 0 and 23. - SyslogFacilityCode int64 `ecs:"syslog.facility.code"` - - // The Syslog text-based facility of the log event, if available. - SyslogFacilityName string `ecs:"syslog.facility.name"` - - // Syslog numeric priority of the event, if available. - // According to RFCs 5424 and 3164, the priority is 8 * facility + - // severity. This number is therefore expected to contain a value between 0 - // and 191. - SyslogPriority int64 `ecs:"syslog.priority"` -} diff --git a/code/go/ecs/network.go b/code/go/ecs/network.go deleted file mode 100644 index a696a4e419..0000000000 --- a/code/go/ecs/network.go +++ /dev/null @@ -1,111 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The network is defined as the communication path over which a host or -// network event happens. -// The network.* fields should be populated with details about the network -// activity associated with an event. -type Network struct { - // Name given by operators to sections of their network. - Name string `ecs:"name"` - - // In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, - // pim, etc - // The field value must be normalized to lowercase for querying. See the - // documentation section "Implementing ECS". - Type string `ecs:"type"` - - // IANA Protocol Number - // (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). - // Standardized list of protocols. This aligns well with NetFlow and sFlow - // related logs which use the IANA Protocol Number. - IANANumber string `ecs:"iana_number"` - - // Same as network.iana_number, but instead using the Keyword name of the - // transport layer (udp, tcp, ipv6-icmp, etc.) - // The field value must be normalized to lowercase for querying. See the - // documentation section "Implementing ECS". - Transport string `ecs:"transport"` - - // A name given to an application level protocol. This can be arbitrarily - // assigned for things like microservices, but also apply to things like - // skype, icq, facebook, twitter. This would be used in situations where - // the vendor or service can be decoded such as from the source/dest IP - // owners, ports, or wire format. - // The field value must be normalized to lowercase for querying. See the - // documentation section "Implementing ECS". - Application string `ecs:"application"` - - // L7 Network protocol name. ex. http, lumberjack, transport protocol. - // The field value must be normalized to lowercase for querying. See the - // documentation section "Implementing ECS". - Protocol string `ecs:"protocol"` - - // Direction of the network traffic. - // Recommended values are: - // * ingress - // * egress - // * inbound - // * outbound - // * internal - // * external - // * unknown - // - // When mapping events from a host-based monitoring context, populate this - // field from the host's point of view, using the values "ingress" or - // "egress". - // When mapping events from a network or perimeter-based monitoring - // context, populate this field from the point of view of the network - // perimeter, using the values "inbound", "outbound", "internal" or - // "external". - // Note that "internal" is not crossing perimeter boundaries, and is meant - // to describe communication between two hosts within the perimeter. Note - // also that "external" is meant to describe traffic between two hosts that - // are external to the perimeter. This could for example be useful for ISPs - // or VPN service providers. - Direction string `ecs:"direction"` - - // Host IP address when the source IP address is the proxy. - ForwardedIP string `ecs:"forwarded_ip"` - - // A hash of source and destination IPs and ports, as well as the protocol - // used in a communication. This is a tool-agnostic standard to identify - // flows. - // Learn more at https://github.com/corelight/community-id-spec. - CommunityID string `ecs:"community_id"` - - // Total bytes transferred in both directions. - // If `source.bytes` and `destination.bytes` are known, `network.bytes` is - // their sum. - Bytes int64 `ecs:"bytes"` - - // Total packets transferred in both directions. - // If `source.packets` and `destination.packets` are known, - // `network.packets` is their sum. - Packets int64 `ecs:"packets"` - - // Network.inner fields are added in addition to network.vlan fields to - // describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed - // fields include vlan.id and vlan.name. Inner vlan fields are typically - // used when sending traffic with multiple 802.1q encapsulations to a - // network sensor (e.g. Zeek, Wireshark.) - Inner map[string]interface{} `ecs:"inner"` -} diff --git a/code/go/ecs/observer.go b/code/go/ecs/observer.go deleted file mode 100644 index 84eb2d0545..0000000000 --- a/code/go/ecs/observer.go +++ /dev/null @@ -1,94 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// An observer is defined as a special network, security, or application device -// used to detect, observe, or create network, security, or application-related -// events and metrics. -// This could be a custom hardware appliance or a server that has been -// configured to run special network, security, or application software. -// Examples include firewalls, web proxies, intrusion detection/prevention -// systems, network monitoring sensors, web application firewalls, data loss -// prevention systems, and APM servers. The observer.* fields shall be -// populated with details of the system, if any, that detects, observes and/or -// creates a network, security, or application event or metric. Message queues -// and ETL components used in processing events or metrics are not considered -// observers in ECS. -type Observer struct { - // MAC addresses of the observer. - // The notation format from RFC 7042 is suggested: Each octet (that is, - // 8-bit byte) is represented by two [uppercase] hexadecimal digits giving - // the value of the octet as an unsigned integer. Successive octets are - // separated by a hyphen. - MAC string `ecs:"mac"` - - // IP addresses of the observer. - IP string `ecs:"ip"` - - // Hostname of the observer. - Hostname string `ecs:"hostname"` - - // Custom name of the observer. - // This is a name that can be given to an observer. This can be helpful for - // example if multiple firewalls of the same model are used in an - // organization. - // If no custom name is needed, the field can be left empty. - Name string `ecs:"name"` - - // The product name of the observer. - Product string `ecs:"product"` - - // Vendor name of the observer. - Vendor string `ecs:"vendor"` - - // Observer version. - Version string `ecs:"version"` - - // Observer serial number. - SerialNumber string `ecs:"serial_number"` - - // The type of the observer the data is coming from. - // There is no predefined list of observer types. Some examples are - // `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM - // server`. - Type string `ecs:"type"` - - // Observer.ingress holds information like interface number and name, vlan, - // and zone information to classify ingress traffic. Single armed - // monitoring such as a network sensor on a span port should only use - // observer.ingress to categorize traffic. - Ingress map[string]interface{} `ecs:"ingress"` - - // Network zone of incoming traffic as reported by the observer to - // categorize the source area of ingress traffic. e.g. internal, External, - // DMZ, HR, Legal, etc. - IngressZone string `ecs:"ingress.zone"` - - // Observer.egress holds information like interface number and name, vlan, - // and zone information to classify egress traffic. Single armed - // monitoring such as a network sensor on a span port should only use - // observer.ingress to categorize traffic. - Egress map[string]interface{} `ecs:"egress"` - - // Network zone of outbound traffic as reported by the observer to - // categorize the destination area of egress traffic, e.g. Internal, - // External, DMZ, HR, Legal, etc. - EgressZone string `ecs:"egress.zone"` -} diff --git a/code/go/ecs/orchestrator.go b/code/go/ecs/orchestrator.go deleted file mode 100644 index 889a66dc38..0000000000 --- a/code/go/ecs/orchestrator.go +++ /dev/null @@ -1,52 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Fields that describe the resources which container orchestrators manage or -// act upon. -type Orchestrator struct { - // Name of the cluster. - ClusterName string `ecs:"cluster.name"` - - // URL of the API used to manage the cluster. - ClusterUrl string `ecs:"cluster.url"` - - // The version of the cluster. - ClusterVersion string `ecs:"cluster.version"` - - // Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - Type string `ecs:"type"` - - // Organization affected by the event (for multi-tenant orchestrator - // setups). - Organization string `ecs:"organization"` - - // Namespace in which the action is taking place. - Namespace string `ecs:"namespace"` - - // Name of the resource being acted upon. - ResourceName string `ecs:"resource.name"` - - // Type of resource being acted upon. - ResourceType string `ecs:"resource.type"` - - // API version being used to carry out the action - ApiVersion string `ecs:"api_version"` -} diff --git a/code/go/ecs/organization.go b/code/go/ecs/organization.go deleted file mode 100644 index f60af6d90b..0000000000 --- a/code/go/ecs/organization.go +++ /dev/null @@ -1,32 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The organization fields enrich data with information about the company or -// entity the data is associated with. -// These fields help you arrange or filter data stored in an index by one or -// multiple organizations. -type Organization struct { - // Organization name. - Name string `ecs:"name"` - - // Unique identifier for the organization. - ID string `ecs:"id"` -} diff --git a/code/go/ecs/os.go b/code/go/ecs/os.go deleted file mode 100644 index 3284a5357c..0000000000 --- a/code/go/ecs/os.go +++ /dev/null @@ -1,50 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The OS fields contain information about the operating system. -type Os struct { - // Use the `os.type` field to categorize the operating system into one of - // the broad commercial families. - // One of these following values should be used (lowercase): linux, macos, - // unix, windows. - // If the OS you're dealing with is not in the list, the field should not - // be populated. Please let us know by opening an issue with ECS, to - // propose its addition. - Type string `ecs:"type"` - - // Operating system platform (such centos, ubuntu, windows). - Platform string `ecs:"platform"` - - // Operating system name, without the version. - Name string `ecs:"name"` - - // Operating system name, including the version or code name. - Full string `ecs:"full"` - - // OS family (such as redhat, debian, freebsd, windows). - Family string `ecs:"family"` - - // Operating system version as a raw string. - Version string `ecs:"version"` - - // Operating system kernel version as a raw string. - Kernel string `ecs:"kernel"` -} diff --git a/code/go/ecs/package.go b/code/go/ecs/package.go deleted file mode 100644 index 13d23c4ee2..0000000000 --- a/code/go/ecs/package.go +++ /dev/null @@ -1,74 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -import ( - "time" -) - -// These fields contain information about an installed software package. It -// contains general information about a package, such as name, version or size. -// It also contains installation details, such as time or location. -type Package struct { - // Package name - Name string `ecs:"name"` - - // Package version - Version string `ecs:"version"` - - // Additional information about the build version of the installed package. - // For example use the commit SHA of a non-released package. - BuildVersion string `ecs:"build_version"` - - // Description of the package. - Description string `ecs:"description"` - - // Package size in bytes. - Size int64 `ecs:"size"` - - // Time when package was installed. - Installed time.Time `ecs:"installed"` - - // Path where the package is installed. - Path string `ecs:"path"` - - // Package architecture. - Architecture string `ecs:"architecture"` - - // Checksum of the installed package for verification. - Checksum string `ecs:"checksum"` - - // Indicating how the package was installed, e.g. user-local, global. - InstallScope string `ecs:"install_scope"` - - // License under which the package was released. - // Use a short name, e.g. the license identifier from SPDX License List - // where possible (https://spdx.org/licenses/). - License string `ecs:"license"` - - // Home page or reference URL of the software in this package, if - // available. - Reference string `ecs:"reference"` - - // Type of package. - // This should contain the package file type, rather than the package - // manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. - Type string `ecs:"type"` -} diff --git a/code/go/ecs/pe.go b/code/go/ecs/pe.go deleted file mode 100644 index bdc4faef9b..0000000000 --- a/code/go/ecs/pe.go +++ /dev/null @@ -1,49 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// These fields contain Windows Portable Executable (PE) metadata. -type Pe struct { - // Internal name of the file, provided at compile-time. - OriginalFileName string `ecs:"original_file_name"` - - // Internal version of the file, provided at compile-time. - FileVersion string `ecs:"file_version"` - - // Internal description of the file, provided at compile-time. - Description string `ecs:"description"` - - // Internal product name of the file, provided at compile-time. - Product string `ecs:"product"` - - // Internal company name of the file, provided at compile-time. - Company string `ecs:"company"` - - // A hash of the imports in a PE file. An imphash -- or import hash -- can - // be used to fingerprint binaries even after recompilation or other - // code-level transformations have occurred, which would change more - // traditional hash values. - // Learn more at - // https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - Imphash string `ecs:"imphash"` - - // CPU architecture target for the file. - Architecture string `ecs:"architecture"` -} diff --git a/code/go/ecs/process.go b/code/go/ecs/process.go deleted file mode 100644 index e65664e6d9..0000000000 --- a/code/go/ecs/process.go +++ /dev/null @@ -1,101 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -import ( - "time" -) - -// These fields contain information about a process. -// These fields can help you correlate metrics information with a process -// id/name from a log message. The `process.pid` often stays in the metric -// itself and is copied to the global field for correlation. -type Process struct { - // Process id. - PID int64 `ecs:"pid"` - - // Unique identifier for the process. - // The implementation of this is specified by the data source, but some - // examples of what could be used here are a process-generated UUID, Sysmon - // Process GUIDs, or a hash of some uniquely identifying components of a - // process. - // Constructing a globally unique identifier is a common practice to - // mitigate PID reuse as well as to identify a specific process over time, - // across multiple monitored hosts. - EntityID string `ecs:"entity_id"` - - // Process name. - // Sometimes called program name or similar. - Name string `ecs:"name"` - - // Parent process' pid. - PPID int64 `ecs:"ppid"` - - // Identifier of the group of processes the process belongs to. - PGID int64 `ecs:"pgid"` - - // Full command line that started the process, including the absolute path - // to the executable, and all arguments. - // Some arguments may be filtered to protect sensitive information. - CommandLine string `ecs:"command_line"` - - // Array of process arguments, starting with the absolute path to the - // executable. - // May be filtered to protect sensitive information. - Args []string `ecs:"args"` - - // Length of the process.args array. - // This field can be useful for querying or performing bucket analysis on - // how many arguments were provided to start a process. More arguments may - // be an indication of suspicious activity. - ArgsCount int64 `ecs:"args_count"` - - // Absolute path to the process executable. - Executable string `ecs:"executable"` - - // Process title. - // The proctitle, some times the same as process name. Can also be - // different: for example a browser setting its title to the web page - // currently opened. - Title string `ecs:"title"` - - // Thread ID. - ThreadID int64 `ecs:"thread.id"` - - // Thread name. - ThreadName string `ecs:"thread.name"` - - // The time the process started. - Start time.Time `ecs:"start"` - - // Seconds the process has been up. - Uptime int64 `ecs:"uptime"` - - // The working directory of the process. - WorkingDirectory string `ecs:"working_directory"` - - // The exit code of the process, if this is a termination event. - // The field should be absent if there is no exit code for the event (e.g. - // process start). - ExitCode int64 `ecs:"exit_code"` - - // The time the process ended. - End time.Time `ecs:"end"` -} diff --git a/code/go/ecs/registry.go b/code/go/ecs/registry.go deleted file mode 100644 index 54a01777cf..0000000000 --- a/code/go/ecs/registry.go +++ /dev/null @@ -1,54 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Fields related to Windows Registry operations. -type Registry struct { - // Abbreviated name for the hive. - Hive string `ecs:"hive"` - - // Hive-relative path of keys. - Key string `ecs:"key"` - - // Name of the value written. - Value string `ecs:"value"` - - // Full path, including hive, key and value - Path string `ecs:"path"` - - // Standard registry type for encoding contents - DataType string `ecs:"data.type"` - - // Content when writing string types. - // Populated as an array when writing string data to the registry. For - // single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an - // array with one string. For sequences of string with REG_MULTI_SZ, this - // array will be variable length. For numeric data, such as REG_DWORD and - // REG_QWORD, this should be populated with the decimal representation (e.g - // `"1"`). - DataStrings string `ecs:"data.strings"` - - // Original bytes written with base64 encoding. - // For Windows registry operations, such as SetValueEx and RegQueryValueEx, - // this corresponds to the data pointed by `lp_data`. This is optional but - // provides better recoverability and should be populated for REG_BINARY - // encoded values. - DataBytes string `ecs:"data.bytes"` -} diff --git a/code/go/ecs/related.go b/code/go/ecs/related.go deleted file mode 100644 index b32da1647c..0000000000 --- a/code/go/ecs/related.go +++ /dev/null @@ -1,45 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// This field set is meant to facilitate pivoting around a piece of data. -// Some pieces of information can be seen in many places in an ECS event. To -// facilitate searching for them, store an array of all seen values to their -// corresponding field in `related.`. -// A concrete example is IP addresses, which can be under host, observer, -// source, destination, client, server, and network.forwarded_ip. If you append -// all IPs to `related.ip`, you can then search for a given IP trivially, no -// matter where it appeared, by querying `related.ip:192.0.2.15`. -type Related struct { - // All of the IPs seen on your event. - IP string `ecs:"ip"` - - // All the user names or other user identifiers seen on the event. - User string `ecs:"user"` - - // All the hashes seen on your event. Populating this field, then using it - // to search for hashes can help in situations where you're unsure what the - // hash algorithm is (and therefore which key name to search). - Hash string `ecs:"hash"` - - // All hostnames or other host identifiers seen on your event. Example - // identifiers include FQDNs, domain names, workstation names, or aliases. - Hosts string `ecs:"hosts"` -} diff --git a/code/go/ecs/rule.go b/code/go/ecs/rule.go deleted file mode 100644 index ae07c808f5..0000000000 --- a/code/go/ecs/rule.go +++ /dev/null @@ -1,68 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Rule fields are used to capture the specifics of any observer or agent rules -// that generate alerts or other notable events. -// Examples of data sources that would populate the rule fields include: -// network admission control platforms, network or host IDS/IPS, network -// firewalls, web application firewalls, url filters, endpoint detection and -// response (EDR) systems, etc. -type Rule struct { - // A rule ID that is unique within the scope of an agent, observer, or - // other entity using the rule for detection of this event. - ID string `ecs:"id"` - - // A rule ID that is unique within the scope of a set or group of agents, - // observers, or other entities using the rule for detection of this event. - Uuid string `ecs:"uuid"` - - // The version / revision of the rule being used for analysis. - Version string `ecs:"version"` - - // The name of the rule or signature generating the event. - Name string `ecs:"name"` - - // The description of the rule generating the event. - Description string `ecs:"description"` - - // A categorization value keyword used by the entity using the rule for - // detection of this event. - Category string `ecs:"category"` - - // Name of the ruleset, policy, group, or parent category in which the rule - // used to generate this event is a member. - Ruleset string `ecs:"ruleset"` - - // Reference URL to additional information about the rule used to generate - // this event. - // The URL can point to the vendor's documentation about the rule. If - // that's not available, it can also be a link to a more general page - // describing this type of alert. - Reference string `ecs:"reference"` - - // Name, organization, or pseudonym of the author or authors who created - // the rule used to generate this event. - Author string `ecs:"author"` - - // Name of the license under which the rule used to generate this event is - // made available. - License string `ecs:"license"` -} diff --git a/code/go/ecs/server.go b/code/go/ecs/server.go deleted file mode 100644 index dfd43b0f0a..0000000000 --- a/code/go/ecs/server.go +++ /dev/null @@ -1,103 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// A Server is defined as the responder in a network connection for events -// regarding sessions, connections, or bidirectional flow records. -// For TCP events, the server is the receiver of the initial SYN packet(s) of -// the TCP connection. For other protocols, the server is generally the -// responder in the network transaction. Some systems actually use the term -// "responder" to refer the server in TCP connections. The server fields -// describe details about the system acting as the server in the network event. -// Server fields are usually populated in conjunction with client fields. -// Server fields are generally not populated for packet-level events. -// Client / server representations can add semantic context to an exchange, -// which is helpful to visualize the data in certain situations. If your -// context falls in that category, you should still ensure that source and -// destination are filled appropriately. -type Server struct { - // Some event server addresses are defined ambiguously. The event will - // sometimes list an IP, a domain or a unix socket. You should always - // store the raw address in the `.address` field. - // Then it should be duplicated to `.ip` or `.domain`, depending on which - // one it is. - Address string `ecs:"address"` - - // IP address of the server (IPv4 or IPv6). - IP string `ecs:"ip"` - - // Port of the server. - Port int64 `ecs:"port"` - - // MAC address of the server. - // The notation format from RFC 7042 is suggested: Each octet (that is, - // 8-bit byte) is represented by two [uppercase] hexadecimal digits giving - // the value of the octet as an unsigned integer. Successive octets are - // separated by a hyphen. - MAC string `ecs:"mac"` - - // Server domain. - Domain string `ecs:"domain"` - - // The highest registered server domain, stripped of the subdomain. - // For example, the registered domain for "foo.example.com" is - // "example.com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last two labels will not work well for TLDs such as - // "co.uk". - RegisteredDomain string `ecs:"registered_domain"` - - // The effective top level domain (eTLD), also known as the domain suffix, - // is the last part of the domain name. For example, the top level domain - // for example.com is "com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last label will not work well for effective TLDs such - // as "co.uk". - TopLevelDomain string `ecs:"top_level_domain"` - - // The subdomain portion of a fully qualified domain name includes all of - // the names except the host name under the registered_domain. In a - // partially qualified domain, or if the the qualification level of the - // full name cannot be determined, subdomain contains all of the names - // below the registered domain. - // For example the subdomain portion of "www.east.mydomain.co.uk" is - // "east". If the domain has multiple levels of subdomain, such as - // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", - // with no trailing period. - Subdomain string `ecs:"subdomain"` - - // Bytes sent from the server to the client. - Bytes int64 `ecs:"bytes"` - - // Packets sent from the server to the client. - Packets int64 `ecs:"packets"` - - // Translated ip of destination based NAT sessions (e.g. internet to - // private DMZ) - // Typically used with load balancers, firewalls, or routers. - NatIP string `ecs:"nat.ip"` - - // Translated port of destination based NAT sessions (e.g. internet to - // private DMZ) - // Typically used with load balancers, firewalls, or routers. - NatPort int64 `ecs:"nat.port"` -} diff --git a/code/go/ecs/service.go b/code/go/ecs/service.go deleted file mode 100644 index 5716f0855c..0000000000 --- a/code/go/ecs/service.go +++ /dev/null @@ -1,88 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The service fields describe the service for or from which the data was -// collected. -// These fields help you find and correlate logs for a specific service and -// version. -type Service struct { - // Identifies the environment where the service is running. - // If the same service runs in different environments (production, staging, - // QA, development, etc.), the environment can identify other instances of - // the same service. Can also group services and applications from the same - // environment. - Environment string `ecs:"environment"` - - // Unique identifier of the running service. If the service is comprised of - // many nodes, the `service.id` should be the same for all nodes. - // This id should uniquely identify the service. This makes it possible to - // correlate logs and metrics for one specific service, no matter which - // particular node emitted the event. - // Note that if you need to see the events from one specific host of the - // service, you should filter on that `host.name` or `host.id` instead. - ID string `ecs:"id"` - - // Name of the service data is collected from. - // The name of the service is normally user given. This allows for - // distributed services that run on multiple hosts to correlate the related - // instances based on the name. - // In the case of Elasticsearch the `service.name` could contain the - // cluster name. For Beats the `service.name` is by default a copy of the - // `service.type` field if no name is specified. - Name string `ecs:"name"` - - // Name of a service node. - // This allows for two nodes of the same service running on the same host - // to be differentiated. Therefore, `service.node.name` should typically be - // unique across nodes of a given service. - // In the case of Elasticsearch, the `service.node.name` could contain the - // unique node name within the Elasticsearch cluster. In cases where the - // service doesn't have the concept of a node name, the host name or - // container name can be used to distinguish running instances that make up - // this service. If those do not provide uniqueness (e.g. multiple - // instances of the service running on the same host) - the node name can - // be manually set. - NodeName string `ecs:"node.name"` - - // The type of the service data is collected from. - // The type can be used to group and correlate logs and metrics from one - // service type. - // Example: If logs or metrics are collected from Elasticsearch, - // `service.type` would be `elasticsearch`. - Type string `ecs:"type"` - - // Current state of the service. - State string `ecs:"state"` - - // Version of the service the data was collected from. - // This allows to look at a data set only for a specific version of a - // service. - Version string `ecs:"version"` - - // Ephemeral identifier of this service (if one exists). - // This id normally changes across restarts, but `service.id` does not. - EphemeralID string `ecs:"ephemeral_id"` - - // Address where data about this service was collected from. - // This should be a URI, network address (ipv4:port or [ipv6]:port) or a - // resource path (sockets). - Address string `ecs:"address"` -} diff --git a/code/go/ecs/source.go b/code/go/ecs/source.go deleted file mode 100644 index d407ee5d20..0000000000 --- a/code/go/ecs/source.go +++ /dev/null @@ -1,99 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Source fields capture details about the sender of a network exchange/packet. -// These fields are populated from a network event, packet, or other event -// containing details of a network transaction. -// Source fields are usually populated in conjunction with destination fields. -// The source and destination fields are considered the baseline and should -// always be filled if an event contains source and destination details from a -// network transaction. If the event also contains identification of the client -// and server roles, then the client and server fields should also be -// populated. -type Source struct { - // Some event source addresses are defined ambiguously. The event will - // sometimes list an IP, a domain or a unix socket. You should always - // store the raw address in the `.address` field. - // Then it should be duplicated to `.ip` or `.domain`, depending on which - // one it is. - Address string `ecs:"address"` - - // IP address of the source (IPv4 or IPv6). - IP string `ecs:"ip"` - - // Port of the source. - Port int64 `ecs:"port"` - - // MAC address of the source. - // The notation format from RFC 7042 is suggested: Each octet (that is, - // 8-bit byte) is represented by two [uppercase] hexadecimal digits giving - // the value of the octet as an unsigned integer. Successive octets are - // separated by a hyphen. - MAC string `ecs:"mac"` - - // Source domain. - Domain string `ecs:"domain"` - - // The highest registered source domain, stripped of the subdomain. - // For example, the registered domain for "foo.example.com" is - // "example.com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last two labels will not work well for TLDs such as - // "co.uk". - RegisteredDomain string `ecs:"registered_domain"` - - // The effective top level domain (eTLD), also known as the domain suffix, - // is the last part of the domain name. For example, the top level domain - // for example.com is "com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last label will not work well for effective TLDs such - // as "co.uk". - TopLevelDomain string `ecs:"top_level_domain"` - - // The subdomain portion of a fully qualified domain name includes all of - // the names except the host name under the registered_domain. In a - // partially qualified domain, or if the the qualification level of the - // full name cannot be determined, subdomain contains all of the names - // below the registered domain. - // For example the subdomain portion of "www.east.mydomain.co.uk" is - // "east". If the domain has multiple levels of subdomain, such as - // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", - // with no trailing period. - Subdomain string `ecs:"subdomain"` - - // Bytes sent from the source to the destination. - Bytes int64 `ecs:"bytes"` - - // Packets sent from the source to the destination. - Packets int64 `ecs:"packets"` - - // Translated ip of source based NAT sessions (e.g. internal client to - // internet) - // Typically connections traversing load balancers, firewalls, or routers. - NatIP string `ecs:"nat.ip"` - - // Translated port of source based NAT sessions. (e.g. internal client to - // internet) - // Typically used with load balancers, firewalls, or routers. - NatPort int64 `ecs:"nat.port"` -} diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go deleted file mode 100644 index 87fd5c4879..0000000000 --- a/code/go/ecs/threat.go +++ /dev/null @@ -1,332 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -import ( - "time" -) - -// Fields to classify events and alerts according to a threat taxonomy such as -// the MITRE ATT&CK® framework. -// These fields are for users to classify alerts from all of their sources -// (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields -// are meant to capture the high level category of the threat (e.g. "impact"). -// The threat.technique.* fields are meant to capture which kind of approach is -// used by this detected threat, to accomplish the goal (e.g. "endpoint denial -// of service"). -type Threat struct { - // A list of associated indicators objects enriching the event, and the - // context of that association/enrichment. - Enrichments []Enrichments `ecs:"enrichments"` - - // Name of the threat framework used to further categorize and classify the - // tactic and technique of the reported threat. Framework classification - // can be provided by detecting systems, evaluated at ingest time, or - // retrospectively tagged to events. - Framework string `ecs:"framework"` - - // The alias(es) of the group for a set of related intrusion activity that - // are tracked by a common name in the security community. - // While not required, you can use a MITRE ATT&CK® group alias(es). - GroupAlias string `ecs:"group.alias"` - - // The id of the group for a set of related intrusion activity that are - // tracked by a common name in the security community. - // While not required, you can use a MITRE ATT&CK® group id. - GroupID string `ecs:"group.id"` - - // The name of the group for a set of related intrusion activity that are - // tracked by a common name in the security community. - // While not required, you can use a MITRE ATT&CK® group name. - GroupName string `ecs:"group.name"` - - // The reference URL of the group for a set of related intrusion activity - // that are tracked by a common name in the security community. - // While not required, you can use a MITRE ATT&CK® group reference URL. - GroupReference string `ecs:"group.reference"` - - // The date and time when intelligence source first reported sighting this - // indicator. - IndicatorFirstSeen time.Time `ecs:"indicator.first_seen"` - - // The date and time when intelligence source last reported sighting this - // indicator. - IndicatorLastSeen time.Time `ecs:"indicator.last_seen"` - - // The date and time when intelligence source last modified information for - // this indicator. - IndicatorModifiedAt time.Time `ecs:"indicator.modified_at"` - - // Number of times this indicator was observed conducting threat activity. - IndicatorSightings int64 `ecs:"indicator.sightings"` - - // Type of indicator as represented by Cyber Observable in STIX 2.0. - // Recommended values: - // * autonomous-system - // * artifact - // * directory - // * domain-name - // * email-addr - // * file - // * ipv4-addr - // * ipv6-addr - // * mac-addr - // * mutex - // * port - // * process - // * software - // * url - // * user-account - // * windows-registry-key - // * x509-certificate - IndicatorType string `ecs:"indicator.type"` - - // Describes the type of action conducted by the threat. - IndicatorDescription string `ecs:"indicator.description"` - - // Count of AV/EDR vendors that successfully detected malicious file or - // URL. - IndicatorScannerStats int64 `ecs:"indicator.scanner_stats"` - - // Identifies the confidence rating assigned by the provider using STIX - // confidence scales. - // Recommended values: - // * Not Specified, None, Low, Medium, High - // * 0-10 - // * Admirality Scale (1-6) - // * DNI Scale (5-95) - // * WEP Scale (Impossible - Certain) - IndicatorConfidence string `ecs:"indicator.confidence"` - - // Identifies a threat indicator as an IP address (irrespective of - // direction). - IndicatorIP string `ecs:"indicator.ip"` - - // Identifies a threat indicator as a port number (irrespective of - // direction). - IndicatorPort int64 `ecs:"indicator.port"` - - // Identifies a threat indicator as an email address (irrespective of - // direction). - IndicatorEmailAddress string `ecs:"indicator.email.address"` - - // Traffic Light Protocol sharing markings. - // Recommended values are: - // * WHITE - // * GREEN - // * AMBER - // * RED - IndicatorMarkingTlp string `ecs:"indicator.marking.tlp"` - - // Reference URL linking to additional information about this indicator. - IndicatorReference string `ecs:"indicator.reference"` - - // The name of the indicator's provider. - IndicatorProvider string `ecs:"indicator.provider"` - - // The id of the software used by this threat to conduct behavior commonly - // modeled using MITRE ATT&CK®. - // While not required, you can use a MITRE ATT&CK® software id. - SoftwareID string `ecs:"software.id"` - - // The name of the software used by this threat to conduct behavior - // commonly modeled using MITRE ATT&CK®. - // While not required, you can use a MITRE ATT&CK® software name. - SoftwareName string `ecs:"software.name"` - - // The alias(es) of the software for a set of related intrusion activity - // that are tracked by a common name in the security community. - // While not required, you can use a MITRE ATT&CK® associated software - // description. - SoftwareAlias string `ecs:"software.alias"` - - // The platforms of the software used by this threat to conduct behavior - // commonly modeled using MITRE ATT&CK®. - // Recommended Values: - // * AWS - // * Azure - // * Azure AD - // * GCP - // * Linux - // * macOS - // * Network - // * Office 365 - // * SaaS - // * Windows - // - // While not required, you can use a MITRE ATT&CK® software platforms. - SoftwarePlatforms string `ecs:"software.platforms"` - - // The reference URL of the software used by this threat to conduct - // behavior commonly modeled using MITRE ATT&CK®. - // While not required, you can use a MITRE ATT&CK® software reference URL. - SoftwareReference string `ecs:"software.reference"` - - // The type of software used by this threat to conduct behavior commonly - // modeled using MITRE ATT&CK®. - // Recommended values - // * Malware - // * Tool - // - // While not required, you can use a MITRE ATT&CK® software type. - SoftwareType string `ecs:"software.type"` - - // The id of tactic used by this threat. You can use a MITRE ATT&CK® - // tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - TacticID string `ecs:"tactic.id"` - - // Name of the type of tactic used by this threat. You can use a MITRE - // ATT&CK® tactic, for example. (ex. - // https://attack.mitre.org/tactics/TA0002/) - TacticName string `ecs:"tactic.name"` - - // The reference url of tactic used by this threat. You can use a MITRE - // ATT&CK® tactic, for example. (ex. - // https://attack.mitre.org/tactics/TA0002/ ) - TacticReference string `ecs:"tactic.reference"` - - // The id of technique used by this threat. You can use a MITRE ATT&CK® - // technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - TechniqueID string `ecs:"technique.id"` - - // The name of technique used by this threat. You can use a MITRE ATT&CK® - // technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - TechniqueName string `ecs:"technique.name"` - - // The reference url of technique used by this threat. You can use a MITRE - // ATT&CK® technique, for example. (ex. - // https://attack.mitre.org/techniques/T1059/) - TechniqueReference string `ecs:"technique.reference"` - - // The full id of subtechnique used by this threat. You can use a MITRE - // ATT&CK® subtechnique, for example. (ex. - // https://attack.mitre.org/techniques/T1059/001/) - TechniqueSubtechniqueID string `ecs:"technique.subtechnique.id"` - - // The name of subtechnique used by this threat. You can use a MITRE - // ATT&CK® subtechnique, for example. (ex. - // https://attack.mitre.org/techniques/T1059/001/) - TechniqueSubtechniqueName string `ecs:"technique.subtechnique.name"` - - // The reference url of subtechnique used by this threat. You can use a - // MITRE ATT&CK® subtechnique, for example. (ex. - // https://attack.mitre.org/techniques/T1059/001/) - TechniqueSubtechniqueReference string `ecs:"technique.subtechnique.reference"` -} - -type Enrichments struct { - // Object containing associated indicators enriching the event. - Indicator map[string]interface{} `ecs:"indicator"` - - // The date and time when intelligence source first reported sighting this - // indicator. - IndicatorFirstSeen time.Time `ecs:"indicator.first_seen"` - - // The date and time when intelligence source last reported sighting this - // indicator. - IndicatorLastSeen time.Time `ecs:"indicator.last_seen"` - - // The date and time when intelligence source last modified information for - // this indicator. - IndicatorModifiedAt time.Time `ecs:"indicator.modified_at"` - - // Number of times this indicator was observed conducting threat activity. - IndicatorSightings int64 `ecs:"indicator.sightings"` - - // Type of indicator as represented by Cyber Observable in STIX 2.0. - // Recommended values: - // * autonomous-system - // * artifact - // * directory - // * domain-name - // * email-addr - // * file - // * ipv4-addr - // * ipv6-addr - // * mac-addr - // * mutex - // * port - // * process - // * software - // * url - // * user-account - // * windows-registry-key - // * x509-certificate - IndicatorType string `ecs:"indicator.type"` - - // Describes the type of action conducted by the threat. - IndicatorDescription string `ecs:"indicator.description"` - - // Count of AV/EDR vendors that successfully detected malicious file or - // URL. - IndicatorScannerStats int64 `ecs:"indicator.scanner_stats"` - - // Identifies the confidence rating assigned by the provider using - // STIX confidence scales. Expected values: - // * Not Specified, None, Low, Medium, High - // * 0-10 - // * Admirality Scale (1-6) - // * DNI Scale (5-95) - // * WEP Scale (Impossible - Certain) - IndicatorConfidence string `ecs:"indicator.confidence"` - - // Identifies a threat indicator as an IP address (irrespective of - // direction). - IndicatorIP string `ecs:"indicator.ip"` - - // Identifies a threat indicator as a port number (irrespective of - // direction). - IndicatorPort int64 `ecs:"indicator.port"` - - // Identifies a threat indicator as an email address (irrespective of - // direction). - IndicatorEmailAddress string `ecs:"indicator.email.address"` - - // Traffic Light Protocol sharing markings. Recommended values are: - // * WHITE - // * GREEN - // * AMBER - // * RED - IndicatorMarkingTlp string `ecs:"indicator.marking.tlp"` - - // Reference URL linking to additional information about this indicator. - IndicatorReference string `ecs:"indicator.reference"` - - // The name of the indicator's provider. - IndicatorProvider string `ecs:"indicator.provider"` - - // Identifies the atomic indicator value that matched a local environment - // endpoint or network event. - MatchedAtomic string `ecs:"matched.atomic"` - - // Identifies the field of the atomic indicator that matched a local - // environment endpoint or network event. - MatchedField string `ecs:"matched.field"` - - // Identifies the _id of the indicator document enriching the event. - MatchedID string `ecs:"matched.id"` - - // Identifies the _index of the indicator document enriching the event. - MatchedIndex string `ecs:"matched.index"` - - // Identifies the type of match that caused the event to be enriched with - // the given indicator - MatchedType string `ecs:"matched.type"` -} diff --git a/code/go/ecs/tls.go b/code/go/ecs/tls.go deleted file mode 100644 index 3fd1e0e788..0000000000 --- a/code/go/ecs/tls.go +++ /dev/null @@ -1,151 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -import ( - "time" -) - -// Fields related to a TLS connection. These fields focus on the TLS protocol -// itself and intentionally avoids in-depth analysis of the related x.509 -// certificate files. -type Tls struct { - // Numeric part of the version parsed from the original string. - Version string `ecs:"version"` - - // Normalized lowercase protocol name parsed from original string. - VersionProtocol string `ecs:"version_protocol"` - - // String indicating the cipher used during the current connection. - Cipher string `ecs:"cipher"` - - // String indicating the curve used for the given cipher, when applicable. - Curve string `ecs:"curve"` - - // Boolean flag indicating if this TLS connection was resumed from an - // existing TLS negotiation. - Resumed bool `ecs:"resumed"` - - // Boolean flag indicating if the TLS negotiation was successful and - // transitioned to an encrypted tunnel. - Established bool `ecs:"established"` - - // String indicating the protocol being tunneled. Per the values in the - // IANA registry - // (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), - // this string should be lower case. - NextProtocol string `ecs:"next_protocol"` - - // A hash that identifies clients based on how they perform an SSL/TLS - // handshake. - ClientJa3 string `ecs:"client.ja3"` - - // Also called an SNI, this tells the server which hostname to which the - // client is attempting to connect to. When this value is available, it - // should get copied to `destination.domain`. - ClientServerName string `ecs:"client.server_name"` - - // Array of ciphers offered by the client during the client hello. - ClientSupportedCiphers string `ecs:"client.supported_ciphers"` - - // Distinguished name of subject of the x.509 certificate presented by the - // client. - ClientSubject string `ecs:"client.subject"` - - // Distinguished name of subject of the issuer of the x.509 certificate - // presented by the client. - ClientIssuer string `ecs:"client.issuer"` - - // Date/Time indicating when client certificate is first considered valid. - ClientNotBefore time.Time `ecs:"client.not_before"` - - // Date/Time indicating when client certificate is no longer considered - // valid. - ClientNotAfter time.Time `ecs:"client.not_after"` - - // Array of PEM-encoded certificates that make up the certificate chain - // offered by the client. This is usually mutually-exclusive of - // `client.certificate` since that value should be the first certificate in - // the chain. - ClientCertificateChain string `ecs:"client.certificate_chain"` - - // PEM-encoded stand-alone certificate offered by the client. This is - // usually mutually-exclusive of `client.certificate_chain` since this - // value also exists in that list. - ClientCertificate string `ecs:"client.certificate"` - - // Certificate fingerprint using the MD5 digest of DER-encoded version of - // certificate offered by the client. For consistency with other hash - // values, this value should be formatted as an uppercase hash. - ClientHashMd5 string `ecs:"client.hash.md5"` - - // Certificate fingerprint using the SHA1 digest of DER-encoded version of - // certificate offered by the client. For consistency with other hash - // values, this value should be formatted as an uppercase hash. - ClientHashSha1 string `ecs:"client.hash.sha1"` - - // Certificate fingerprint using the SHA256 digest of DER-encoded version - // of certificate offered by the client. For consistency with other hash - // values, this value should be formatted as an uppercase hash. - ClientHashSha256 string `ecs:"client.hash.sha256"` - - // A hash that identifies servers based on how they perform an SSL/TLS - // handshake. - ServerJa3s string `ecs:"server.ja3s"` - - // Subject of the x.509 certificate presented by the server. - ServerSubject string `ecs:"server.subject"` - - // Subject of the issuer of the x.509 certificate presented by the server. - ServerIssuer string `ecs:"server.issuer"` - - // Timestamp indicating when server certificate is first considered valid. - ServerNotBefore time.Time `ecs:"server.not_before"` - - // Timestamp indicating when server certificate is no longer considered - // valid. - ServerNotAfter time.Time `ecs:"server.not_after"` - - // Array of PEM-encoded certificates that make up the certificate chain - // offered by the server. This is usually mutually-exclusive of - // `server.certificate` since that value should be the first certificate in - // the chain. - ServerCertificateChain string `ecs:"server.certificate_chain"` - - // PEM-encoded stand-alone certificate offered by the server. This is - // usually mutually-exclusive of `server.certificate_chain` since this - // value also exists in that list. - ServerCertificate string `ecs:"server.certificate"` - - // Certificate fingerprint using the MD5 digest of DER-encoded version of - // certificate offered by the server. For consistency with other hash - // values, this value should be formatted as an uppercase hash. - ServerHashMd5 string `ecs:"server.hash.md5"` - - // Certificate fingerprint using the SHA1 digest of DER-encoded version of - // certificate offered by the server. For consistency with other hash - // values, this value should be formatted as an uppercase hash. - ServerHashSha1 string `ecs:"server.hash.sha1"` - - // Certificate fingerprint using the SHA256 digest of DER-encoded version - // of certificate offered by the server. For consistency with other hash - // values, this value should be formatted as an uppercase hash. - ServerHashSha256 string `ecs:"server.hash.sha256"` -} diff --git a/code/go/ecs/tracing.go b/code/go/ecs/tracing.go deleted file mode 100644 index a0f6b2508d..0000000000 --- a/code/go/ecs/tracing.go +++ /dev/null @@ -1,45 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Distributed tracing makes it possible to analyze performance throughout a -// microservice architecture all in one view. This is accomplished by tracing -// all of the requests - from the initial web request in the front-end service -// - to queries made through multiple back-end services. -// Unlike most field sets in ECS, the tracing fields are *not* nested under the -// field set name. In other words, the correct field name is `trace.id`, not -// `tracing.trace.id`, and so on. -type Tracing struct { - // Unique identifier of the trace. - // A trace groups multiple events like transactions that belong together. - // For example, a user request handled by multiple inter-connected - // services. - TraceID string `ecs:"trace.id"` - - // Unique identifier of the transaction within the scope of its trace. - // A transaction is the highest level of work measured within a service, - // such as a request to a server. - TransactionID string `ecs:"transaction.id"` - - // Unique identifier of the span within the scope of its trace. - // A span represents an operation within a transaction, such as a request - // to another service, or a database query. - SpanID string `ecs:"span.id"` -} diff --git a/code/go/ecs/url.go b/code/go/ecs/url.go deleted file mode 100644 index d9a05e4a81..0000000000 --- a/code/go/ecs/url.go +++ /dev/null @@ -1,112 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// URL fields provide support for complete or partial URLs, and supports the -// breaking down into scheme, domain, path, and so on. -type Url struct { - // Unmodified original url as seen in the event source. - // Note that in network monitoring, the observed URL may be a full URL, - // whereas in access logs, the URL is often just represented as a path. - // This field is meant to represent the URL as it was observed, complete or - // not. - Original string `ecs:"original"` - - // If full URLs are important to your use case, they should be stored in - // `url.full`, whether this field is reconstructed or present in the event - // source. - Full string `ecs:"full"` - - // Scheme of the request, such as "https". - // Note: The `:` is not part of the scheme. - Scheme string `ecs:"scheme"` - - // Domain of the url, such as "www.elastic.co". - // In some cases a URL may refer to an IP and/or port directly, without a - // domain name. In this case, the IP address would go to the `domain` - // field. - // If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF - // RFC 2732), the `[` and `]` characters should also be captured in the - // `domain` field. - Domain string `ecs:"domain"` - - // The highest registered url domain, stripped of the subdomain. - // For example, the registered domain for "foo.example.com" is - // "example.com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last two labels will not work well for TLDs such as - // "co.uk". - RegisteredDomain string `ecs:"registered_domain"` - - // The effective top level domain (eTLD), also known as the domain suffix, - // is the last part of the domain name. For example, the top level domain - // for example.com is "com". - // This value can be determined precisely with a list like the public - // suffix list (http://publicsuffix.org). Trying to approximate this by - // simply taking the last label will not work well for effective TLDs such - // as "co.uk". - TopLevelDomain string `ecs:"top_level_domain"` - - // The subdomain portion of a fully qualified domain name includes all of - // the names except the host name under the registered_domain. In a - // partially qualified domain, or if the the qualification level of the - // full name cannot be determined, subdomain contains all of the names - // below the registered domain. - // For example the subdomain portion of "www.east.mydomain.co.uk" is - // "east". If the domain has multiple levels of subdomain, such as - // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", - // with no trailing period. - Subdomain string `ecs:"subdomain"` - - // Port of the request, such as 443. - Port int64 `ecs:"port"` - - // Path of the request, such as "/search". - Path string `ecs:"path"` - - // The query field describes the query string of the request, such as - // "q=elasticsearch". - // The `?` is excluded from the query string. If a URL contains no `?`, - // there is no query field. If there is a `?` but no query, the query field - // exists with an empty string. The `exists` query can be used to - // differentiate between the two cases. - Query string `ecs:"query"` - - // The field contains the file extension from the original request url, - // excluding the leading dot. - // The file extension is only set if it exists, as not every url has a file - // extension. - // The leading period must not be included. For example, the value must be - // "png", not ".png". - // Note that when the file name has multiple extensions (example.tar.gz), - // only the last one should be captured ("gz", not "tar.gz"). - Extension string `ecs:"extension"` - - // Portion of the url after the `#`, such as "top". - // The `#` is not part of the fragment. - Fragment string `ecs:"fragment"` - - // Username of the request. - Username string `ecs:"username"` - - // Password of the request. - Password string `ecs:"password"` -} diff --git a/code/go/ecs/user.go b/code/go/ecs/user.go deleted file mode 100644 index ce2936d0fd..0000000000 --- a/code/go/ecs/user.go +++ /dev/null @@ -1,50 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The user fields describe information about the user that is relevant to the -// event. -// Fields can have one entry or multiple entries. If a user has more than one -// id, provide an array that includes all of them. -type User struct { - // Unique identifier of the user. - ID string `ecs:"id"` - - // Short name or login of the user. - Name string `ecs:"name"` - - // User's full name, if available. - FullName string `ecs:"full_name"` - - // User email address. - Email string `ecs:"email"` - - // Unique user hash to correlate information for a user in anonymized form. - // Useful if `user.id` or `user.name` contain confidential information and - // cannot be used. - Hash string `ecs:"hash"` - - // Name of the directory the user is a member of. - // For example, an LDAP or Active Directory domain name. - Domain string `ecs:"domain"` - - // Array of user roles at the time of the event. - Roles string `ecs:"roles"` -} diff --git a/code/go/ecs/user_agent.go b/code/go/ecs/user_agent.go deleted file mode 100644 index c57652ef89..0000000000 --- a/code/go/ecs/user_agent.go +++ /dev/null @@ -1,37 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The user_agent fields normally come from a browser request. -// They often show up in web service logs coming from the parsed user agent -// string. -type UserAgent struct { - // Unparsed user_agent string. - Original string `ecs:"original"` - - // Name of the user agent. - Name string `ecs:"name"` - - // Version of the user agent. - Version string `ecs:"version"` - - // Name of the device. - DeviceName string `ecs:"device.name"` -} diff --git a/code/go/ecs/version.go b/code/go/ecs/version.go deleted file mode 100644 index 04d4697736..0000000000 --- a/code/go/ecs/version.go +++ /dev/null @@ -1,23 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Version is the Elastic Common Schema version from which this was generated. -const Version = "8.0.0-dev" diff --git a/code/go/ecs/vlan.go b/code/go/ecs/vlan.go deleted file mode 100644 index d4a1e69fdf..0000000000 --- a/code/go/ecs/vlan.go +++ /dev/null @@ -1,44 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as -// ingress and egress VLAN associations of an observer in relation to a -// specific packet or connection. -// Network.vlan fields are used to record a single VLAN tag, or the outer tag -// in the case of q-in-q encapsulations, for a packet or connection as -// observed, typically provided by a network sensor (e.g. Zeek, Wireshark) -// passively reporting on traffic. -// Network.inner VLAN fields are used to report inner q-in-q 802.1q tags -// (multiple 802.1q encapsulations) as observed, typically provided by a -// network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. -// Network.inner VLAN fields should only be used in addition to network.vlan -// fields to indicate q-in-q tagging. -// Observer.ingress and observer.egress VLAN values are used to record observer -// specific information when observer events contain discrete ingress and -// egress VLAN information, typically provided by firewalls, routers, or load -// balancers. -type Vlan struct { - // VLAN ID as reported by the observer. - ID string `ecs:"id"` - - // Optional VLAN name as reported by the observer. - Name string `ecs:"name"` -} diff --git a/code/go/ecs/vulnerability.go b/code/go/ecs/vulnerability.go deleted file mode 100644 index bda83eae5c..0000000000 --- a/code/go/ecs/vulnerability.go +++ /dev/null @@ -1,96 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// The vulnerability fields describe information about a vulnerability that is -// relevant to an event. -type Vulnerability struct { - // The classification of the vulnerability scoring system. For example - // (https://www.first.org/cvss/) - Classification string `ecs:"classification"` - - // The type of identifier used for this vulnerability. For example - // (https://cve.mitre.org/about/) - Enumeration string `ecs:"enumeration"` - - // A resource that provides additional information, context, and - // mitigations for the identified vulnerability. - Reference string `ecs:"reference"` - - // Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - // Base scores cover an assessment for exploitability metrics (attack - // vector, complexity, privileges, and user interaction), impact metrics - // (confidentiality, integrity, and availability), and scope. For example - // (https://www.first.org/cvss/specification-document) - ScoreBase float64 `ecs:"score.base"` - - // Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - // Temporal scores cover an assessment for code maturity, remediation - // level, and confidence. For example - // (https://www.first.org/cvss/specification-document) - ScoreTemporal float64 `ecs:"score.temporal"` - - // Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - // Environmental scores cover an assessment for any modified Base metrics, - // confidentiality, integrity, and availability requirements. For example - // (https://www.first.org/cvss/specification-document) - ScoreEnvironmental float64 `ecs:"score.environmental"` - - // The National Vulnerability Database (NVD) provides qualitative severity - // rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges - // in addition to the severity ratings for CVSS v3.0 as they are defined in - // the CVSS v3.0 specification. - // CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based - // non-profit organization, whose mission is to help computer security - // incident response teams across the world. For example - // (https://nvd.nist.gov/vuln-metrics/cvss) - ScoreVersion string `ecs:"score.version"` - - // The type of system or architecture that the vulnerability affects. These - // may be platform-specific (for example, Debian or SUSE) or general (for - // example, Database or Firewall). For example - // (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys - // vulnerability categories]) - // This field must be an array. - Category string `ecs:"category"` - - // The description of the vulnerability that provides additional context of - // the vulnerability. For example - // (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common - // Vulnerabilities and Exposure CVE description]) - Description string `ecs:"description"` - - // The identification (ID) is the number portion of a vulnerability entry. - // It includes a unique identification number for the vulnerability. For - // example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common - // Vulnerabilities and Exposure CVE ID] - ID string `ecs:"id"` - - // The name of the vulnerability scanner vendor. - ScannerVendor string `ecs:"scanner.vendor"` - - // The severity of the vulnerability can help with metrics and internal - // prioritization regarding remediation. For example - // (https://nvd.nist.gov/vuln-metrics/cvss) - Severity string `ecs:"severity"` - - // The report or scan identification number. - ReportID string `ecs:"report_id"` -} diff --git a/code/go/ecs/x509.go b/code/go/ecs/x509.go deleted file mode 100644 index d3509dda98..0000000000 --- a/code/go/ecs/x509.go +++ /dev/null @@ -1,115 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -import ( - "time" -) - -// This implements the common core fields for x509 certificates. This -// information is likely logged with TLS sessions, digital signatures found in -// executable binaries, S/MIME information in email bodies, or analysis of -// files on disk. -// When the certificate relates to a file, use the fields at `file.x509`. When -// hashes of the DER-encoded certificate are available, the `hash` data set -// should be populated as well (e.g. `file.hash.sha256`). -// Events that contain certificate information about network connections, -// should use the x509 fields under the relevant TLS fields: `tls.server.x509` -// and/or `tls.client.x509`. -type X509 struct { - // Version of x509 format. - VersionNumber string `ecs:"version_number"` - - // Unique serial number issued by the certificate authority. For - // consistency, if this value is alphanumeric, it should be formatted - // without colons and uppercase characters. - SerialNumber string `ecs:"serial_number"` - - // Distinguished name (DN) of issuing certificate authority. - IssuerDistinguishedName string `ecs:"issuer.distinguished_name"` - - // List of common name (CN) of issuing certificate authority. - IssuerCommonName string `ecs:"issuer.common_name"` - - // List of organizational units (OU) of issuing certificate authority. - IssuerOrganizationalUnit string `ecs:"issuer.organizational_unit"` - - // List of organizations (O) of issuing certificate authority. - IssuerOrganization string `ecs:"issuer.organization"` - - // List of locality names (L) - IssuerLocality string `ecs:"issuer.locality"` - - // List of state or province names (ST, S, or P) - IssuerStateOrProvince string `ecs:"issuer.state_or_province"` - - // List of country (C) codes - IssuerCountry string `ecs:"issuer.country"` - - // Identifier for certificate signature algorithm. We recommend using names - // found in Go Lang Crypto library. See - // https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - SignatureAlgorithm string `ecs:"signature_algorithm"` - - // Time at which the certificate is first considered valid. - NotBefore time.Time `ecs:"not_before"` - - // Time at which the certificate is no longer considered valid. - NotAfter time.Time `ecs:"not_after"` - - // Distinguished name (DN) of the certificate subject entity. - SubjectDistinguishedName string `ecs:"subject.distinguished_name"` - - // List of common names (CN) of subject. - SubjectCommonName string `ecs:"subject.common_name"` - - // List of organizational units (OU) of subject. - SubjectOrganizationalUnit string `ecs:"subject.organizational_unit"` - - // List of organizations (O) of subject. - SubjectOrganization string `ecs:"subject.organization"` - - // List of locality names (L) - SubjectLocality string `ecs:"subject.locality"` - - // List of state or province names (ST, S, or P) - SubjectStateOrProvince string `ecs:"subject.state_or_province"` - - // List of country (C) code - SubjectCountry string `ecs:"subject.country"` - - // Algorithm used to generate the public key. - PublicKeyAlgorithm string `ecs:"public_key_algorithm"` - - // The size of the public key space in bits. - PublicKeySize int64 `ecs:"public_key_size"` - - // Exponent used to derive the public key. This is algorithm specific. - PublicKeyExponent int64 `ecs:"public_key_exponent"` - - // The curve used by the elliptic curve public key algorithm. This is - // algorithm specific. - PublicKeyCurve string `ecs:"public_key_curve"` - - // List of subject alternative names (SAN). Name types vary by certificate - // authority and certificate type but commonly contain IP addresses, DNS - // names (and wildcards), and email addresses. - AlternativeNames string `ecs:"alternative_names"` -} diff --git a/scripts/cmd/gocodegen/gocodegen.go b/scripts/cmd/gocodegen/gocodegen.go deleted file mode 100644 index 303e8992f9..0000000000 --- a/scripts/cmd/gocodegen/gocodegen.go +++ /dev/null @@ -1,370 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package main - -import ( - "bufio" - "bytes" - "flag" - "io/ioutil" - "log" - "os" - "path/filepath" - "strings" - "text/template" - "unicode" - - wordwrap "github.com/mitchellh/go-wordwrap" - - "github.com/elastic/beats/libbeat/common" - "github.com/elastic/go-ucfg/yaml" -) - -const license = ` -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License.` - -const typeTmpl = ` -{{.License}} - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -{{if .ImportTime -}} - -import ( - "time" -) - -{{end -}} - -// {{.Description}} -type {{.Name}} struct { -{{- range $field := .Fields}} - // {{$field.Comment}} - {{$field.Name}} {{$field.Type}} \u0060ecs:"{{$field.JSONKey}}"\u0060 -{{ end -}} -} -{{ range $nestedField := .NestedTypes }} -type {{$nestedField.Name}} struct { -{{- range $field := $nestedField.Fields}} - // {{$field.Comment}} - {{$field.Name}} {{$field.Type}} \u0060ecs:"{{$field.JSONKey}}"\u0060 -{{ end -}} -} -{{ end -}} -` - -const versionTmpl = ` -{{.License}} - -// Code generated by scripts/gocodegen.go - DO NOT EDIT. - -package ecs - -// Version is the Elastic Common Schema version from which this was generated. -const Version = "{{.Version}}" -` - -var ( - goFileTemplate = template.Must(template.New("type").Parse( - strings.Replace(typeTmpl[1:], `\u0060`, "`", -1))) - - versionFileTemplate = template.Must(template.New("version").Parse( - versionTmpl[1:])) -) - -type GoType struct { - License string - Description string - Name string - Fields []Field - NestedTypes map[string]*NestedField - ImportTime bool -} - -type NestedField struct { - Name string - Type string - Fields []Field - ImportTime bool -} - -type Field struct { - Comment string - Name string - Type string - JSONKey string -} - -// Flags -var ( - schemaDir string - outputDir string - version string -) - -func init() { - flag.StringVar(&schemaDir, "schema", "schemas/", "Schema directory containing .yml files.") - flag.StringVar(&outputDir, "out", "code/go/ecs", "Output directory for .go files.") - flag.StringVar(&version, "version", "", "ECS Version (required)") -} - -func main() { - log.SetFlags(0) - flag.Parse() - - if version == "" { - log.Fatalf("Error: -version is required") - } - - paths, err := filepath.Glob(filepath.Join(schemaDir, "*.yml")) - if err != nil { - log.Fatalf("Error: %v", err) - } - - // Load schema files. - fields := common.Fields{} - for _, path := range paths { - f := common.Fields{} - - cfg, err := yaml.NewConfigWithFile(path) - if err != nil { - log.Fatalf("Error: %v", err) - } - if err = cfg.Unpack(&f); err != nil { - log.Fatalf("Error: %v", err) - } - - for key := range f { - // The definitions don't have the type group in and the template - // generator assumes otherwise keyword as default. - f[key].Type = "group" - } - - fields = append(fields, f...) - } - - // Generate Go source code. - goFiles := map[string][]byte{} - for _, group := range fields { - if group.Type == "group" { - t := GoType{ - License: license[1:], - Description: descriptionToComment("", group.Description), - Name: goTypeName(group.Name), - NestedTypes: make(map[string]*NestedField), - } - - for _, field := range group.Fields { - // handle `nested` fields - if field.Type == "nested" { - n := NestedField{ - Name: goTypeName(field.Name), - Type: "nested", - } - - t.NestedTypes[field.Name] = &n - fieldName := goTypeName(field.Name) - t.Fields = append(t.Fields, Field{ - Comment: descriptionToComment("\t", field.Description), - Name: goTypeName(fieldName), - Type: "[]" + goTypeName(fieldName), - JSONKey: field.Name, - }) - - } else { - dataType := goDataType(field.Name, field.Type) - if strings.HasPrefix(dataType, "time.") { - t.ImportTime = true - } - - // check if field belongs under a nested field - if nestedField, ok := t.NestedTypes[(trimStringFromDot(field.Name))]; ok { - prefix := strings.ToLower(nestedField.Name) + "." - fieldNameWithoutPrefix := strings.ReplaceAll(field.Name, prefix, "") - nestedField.Fields = append(nestedField.Fields, Field{ - Comment: descriptionToComment("\t", field.Description), - Name: goTypeName(fieldNameWithoutPrefix), - Type: dataType, - JSONKey: fieldNameWithoutPrefix, - }) - } else { - t.Fields = append(t.Fields, Field{ - Comment: descriptionToComment("\t", field.Description), - Name: goTypeName(field.Name), - Type: dataType, - JSONKey: field.Name, - }) - } - } - } - - b := new(bytes.Buffer) - err := goFileTemplate.Execute(b, t) - if err != nil { - log.Fatal(err) - } - - goFiles[group.Name+".go"] = b.Bytes() - } - } - - // Create version.go containing a the version as a constant. - b := new(bytes.Buffer) - err = versionFileTemplate.Execute(b, map[string]interface{}{ - "License": license[1:], - "Version": version, - }) - if err != nil { - log.Fatal(err) - } - goFiles["version.go"] = b.Bytes() - - // Output the files if there were no errors. - for name, data := range goFiles { - if err := os.MkdirAll(outputDir, 0755); err != nil { - log.Fatalf("Error: %v", err) - } - if err := ioutil.WriteFile(filepath.Join(outputDir, name), data, 0644); err != nil { - log.Fatalf("Error: %v", err) - } - } -} - -// isSeparate returns true if the character is a field name separator. This is -// used to detect the separators in fields like ephemeral_id or instance.name. -func isSeparator(c rune) bool { - switch c { - case '.', '_': - return true - case '@': - // This effectively filters @ from field names. - return true - default: - return false - } -} - -// descriptionToComment builds a comment string that is wrapped at 80 chars. -func descriptionToComment(indent, desc string) string { - textLength := 80 - len(strings.Replace(indent, "\t", " ", 4)+" // ") - lines := strings.Split(wordwrap.WrapString(desc, uint(textLength)), "\n") - if len(lines) > 0 { - // Remove empty first line. - if strings.TrimSpace(lines[0]) == "" { - lines = lines[1:] - } - } - if len(lines) > 0 { - // Remove empty last line. - if strings.TrimSpace(lines[len(lines)-1]) == "" { - lines = lines[:len(lines)-1] - } - } - for i := 0; i < len(lines); i++ { - - } - return trimTrailingWhitespace(strings.Join(lines, "\n"+indent+"// ")) -} - -func trimTrailingWhitespace(text string) string { - var lines [][]byte - s := bufio.NewScanner(bytes.NewBufferString(text)) - for s.Scan() { - lines = append(lines, bytes.TrimRightFunc(s.Bytes(), unicode.IsSpace)) - } - if err := s.Err(); err != nil { - log.Fatal(err) - } - return string(bytes.Join(lines, []byte("\n"))) -} - -// goDataType returns the Go type to use for Elasticsearch mapping data type. -func goDataType(fieldName, elasticsearchDataType string) string { - // Special cases. - switch { - case fieldName == "duration" && elasticsearchDataType == "long": - return "time.Duration" - case fieldName == "args" && elasticsearchDataType == "keyword": - return "[]string" - } - - switch elasticsearchDataType { - case "keyword", "wildcard", "version", "constant_keyword", "text", "match_only_text", "ip", "geo_point": - return "string" - case "long": - return "int64" - case "integer": - return "int32" - case "float", "scaled_float": - return "float64" - case "date": - return "time.Time" - case "boolean": - return "bool" - case "object", "flattened": - return "map[string]interface{}" - default: - log.Fatalf("no translation for %v (field %s)", elasticsearchDataType, fieldName) - return "" - } -} - -// abbreviations capitalizes common abbreviations. -func abbreviations(abv string) string { - switch strings.ToLower(abv) { - case "id", "ppid", "pid", "pgid", "mac", "ip", "iana", "uid", "ecs", "as": - return strings.ToUpper(abv) - default: - return abv - } -} - -// goTypeName removes special characters ('_', '.', '@') and returns a -// camel-cased name. -func goTypeName(name string) string { - var b strings.Builder - for _, w := range strings.FieldsFunc(name, isSeparator) { - b.WriteString(strings.Title(abbreviations(w))) - } - return b.String() -} - -// trim strings after "." character -func trimStringFromDot(s string) string { - if idx := strings.Index(s, "."); idx != -1 { - return s[:idx] - } - return s -} diff --git a/scripts/cmd/template/template.go b/scripts/cmd/template/template.go deleted file mode 100644 index 8ae6dff452..0000000000 --- a/scripts/cmd/template/template.go +++ /dev/null @@ -1,96 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package main - -import ( - "flag" - "fmt" - "log" - "path/filepath" - - "github.com/elastic/beats/libbeat/common" - "github.com/elastic/beats/libbeat/template" - "github.com/elastic/go-ucfg/yaml" -) - -// Flags -var ( - schemaDir string - version string -) - -func init() { - flag.StringVar(&schemaDir, "schema", "schemas/", "Schema directory containing .yml files.") - flag.StringVar(&version, "version", "", "ECS Version (required)") -} - -func main() { - log.SetFlags(0) - flag.Parse() - - if version == "" { - log.Fatalf("Error: -version is required") - } - - paths, err := filepath.Glob(filepath.Join(schemaDir, "*.yml")) - if err != nil { - log.Fatalf("Error: %v", err) - } - - fields := common.Fields{} - - for _, path := range paths { - f := common.Fields{} - - cfg, err := yaml.NewConfigWithFile(path) - if err != nil { - log.Fatalf("Error: %v", err) - } - cfg.Unpack(&f) - - for key, f2 := range f { - // The definitions don't have the type group in and the template - // generator assumes otherwise keyword as default - f[key].Type = "group" - - // Moves the docs under base to the top level - if f2.Name == "base" { - f = f2.Fields - } - } - - fields = append(fields, f...) - } - - // If getting a failure on the following instantiation, check out / update Beats master - esVersion := common.MustNewVersion("6.0.0") - t, err := template.New(version, "ecs", *esVersion, template.TemplateConfig{}) - if err != nil { - log.Fatalf("Error: %v", err) - } - - // Start processing at the root - properties := common.MapStr{} - processor := template.Processor{} - if err := processor.Process(fields, "", properties); err != nil { - log.Fatalf("Error: %v", err) - } - output := t.Generate(properties, nil) - - fmt.Printf("%s", output.StringToPrint()) -} diff --git a/scripts/go.mod b/scripts/go.mod deleted file mode 100644 index 8f287b93a0..0000000000 --- a/scripts/go.mod +++ /dev/null @@ -1,18 +0,0 @@ -module github.com/elastic/ecs/scripts - -require ( - github.com/elastic/beats v7.0.0-alpha1.0.20181217223741-58573a9f3f15+incompatible - github.com/elastic/go-ucfg v0.6.5 - github.com/gofrs/uuid v3.1.0+incompatible // indirect - github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 // indirect - github.com/mitchellh/go-wordwrap v1.0.0 - github.com/pkg/errors v0.8.0 // indirect - go.uber.org/atomic v1.3.2 // indirect - go.uber.org/multierr v1.1.0 // indirect - go.uber.org/zap v1.9.1 // indirect - golang.org/x/sys v0.0.0-20181217223516-dcdaa6325bcb // indirect - gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect - gopkg.in/yaml.v2 v2.2.2 // indirect -) - -go 1.13 diff --git a/scripts/go.sum b/scripts/go.sum deleted file mode 100644 index ea7130c712..0000000000 --- a/scripts/go.sum +++ /dev/null @@ -1,24 +0,0 @@ -github.com/elastic/beats v7.0.0-alpha1.0.20181217223741-58573a9f3f15+incompatible h1:1mNuSTDPgWWkL+CWXkLxZhAquz6wqlPKEWaNRd8juzI= -github.com/elastic/beats v7.0.0-alpha1.0.20181217223741-58573a9f3f15+incompatible/go.mod h1:7cX7zGsOwJ01FLkZs9Tg5nBdnQi6XB3hYAyWekpKgeY= -github.com/elastic/go-ucfg v0.6.5 h1:i2Ry5MUSYBNVwqQyKlvnAKyyMQrdQtXpTaIzsJefU84= -github.com/elastic/go-ucfg v0.6.5/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+FX0JKxzo= -github.com/gofrs/uuid v3.1.0+incompatible h1:q2rtkjaKT4YEr6E1kamy0Ha4RtepWlQBedyHx0uzKwA= -github.com/gofrs/uuid v3.1.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= -github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 h1:rp+c0RAYOWj8l6qbCUTSiRLG/iKnW3K3/QfPPuSsBt4= -github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901/go.mod h1:Z86h9688Y0wesXCyonoVr47MasHilkuLMqGhRZ4Hpak= -github.com/mitchellh/go-wordwrap v1.0.0 h1:6GlHJ/LTGMrIJbwgdqdl2eEH8o+Exx/0m8ir9Gns0u4= -github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= -github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw= -github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -go.uber.org/atomic v1.3.2 h1:2Oa65PReHzfn29GpvgsYwloV9AVFHPDk8tYxt2c2tr4= -go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= -go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI= -go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= -go.uber.org/zap v1.9.1 h1:XCJQEf3W6eZaVwhRBof6ImoYGJSITeKWsyeh3HFu/5o= -go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= -golang.org/x/sys v0.0.0-20181217223516-dcdaa6325bcb h1:zzdd4xkMwu/GRxhSUJaCPh4/jil9kAbsU7AUmXboO+A= -golang.org/x/sys v0.0.0-20181217223516-dcdaa6325bcb/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=